TWI280768B - Method and apparatus for security in a data processing system - Google Patents

Abstract

Method and apparatus for secure transmissions. Each user is provided a registration key. A long-time updated broadcast key is encrypted using the registration key and provided periodically to a user. A short-time updated key is encrypted using the broadcast key and provided periodically to a user. Broadcasts are then encrypted using the short-time key, wherein the user decrypts the broadcast message using the short-time key. One embodiment provides link layer content encryption. Another embodiment provides end-to-end encryption.

Description

</ RTI> <RTIgt; </ RTI> <RTIgt; </ RTI> <RTIgt; </ RTI> <RTIgt; </ RTI> <RTIgt; </ RTI> </ RTI> </ RTI> </ RTI> </ RTI> </ RTI> </ RTI> </ RTI> </ RTI> <RTIgt; The sequel to the copending portion of the patent application is hereby incorporated by reference. TECHNICAL FIELD OF THE INVENTION The present invention relates generally to data processing systems, and more particularly to a method and apparatus for security in a data processing system. [Prior Art] The confidentiality in the data processing information system (including the communication system) embeds the principles of accountability, fairness, credibility, operability, and various other expectations. Encryption (or cryptography in the general domain) is used in e-commerce, wireless communications, broadcast services, and unlimited coverage. In e-commerce, encryption is used to prevent authentication in financial transactions. In the data processing system, encryption is used to verify a participating # _ identity. Encryption is also used to prevent hackers and protect web pages from being considered as long-lasting access to confidential files. A symmetric encryption system (commonly referred to as "cryptosystem") uses the same Jin Yu (ie, a secret key) to encrypt and resolve information. Conversely, an asymmetric encryption system uses a first key (ie, Share the public key to encrypt the message and use different Jinyu (ie, private key) to decrypt the message. The asymmetric encryption system is also called g 87743 1280768 to the yoga encryption system. The problem with the wild-type encryption system is that the sender must provide the entire key to the recipient from the &amp; key. In addition, there is a problem with updating +I, -, rain or The frequency of other encryption mechanisms. The method of updating the key in the data processing ',,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, Transmission bandwidth. First, the technology is not used to update the key for the large group mobile station, so that the user can access an encrypted broadcast message. Therefore, it needs to be used in the greedy processing system. A method of updating King Kong safely and efficiently. In addition, A set-up is a method for securely and efficiently updating a key in a wireless communication system. [Invention] A specific embodiment solves the aforementioned needs by providing a security method in a data processing system. In one aspect, a method of secure transmission includes: determining a registration key unique to a transmission participant; a first key; using the registration key to encrypt the first key; determining a second key; using the first key to encrypt the second key; and updating the first key and the first In another aspect, a method for secure reception includes: receiving a registration key unique to a transmission participant; receiving a first key; using the registration key to resolve the first key Receiving a second key; decrypting the second key using the first key; receiving a broadcast information stream; and using the second key to decrypt the broadcast information stream. In another aspect, Support for broadcast services Line communication system, 87743 1280768 includes: an infrastructure component including a receiving circuit; a user identification unit operative to restore a short-term key for decrypting a broadcast message; and a mobile device unit adjusted And the short-term key for decrypting the broadcast message is applied. The user identification unit includes a processing unit that operates to decrypt the key information, and a memory storage device for storing a registration key. The term "demonstration" used in this article means "serving as an instance, example or explanation." Any specific embodiments described herein as "exemplary" are not necessarily to be considered as preferred embodiments or preferred embodiments. Wireless communication systems are widely deployed to provide various types of communication such as voice, data, and the like. These systems may be based on code division multiple access (CDMA), time division multiple access (TDMA) or other modulation techniques. CDMA systems have advantages over other types of systems, including increased system capacity. The system can be designed to support one or more standards, such as "TIA/EIA/IS-95-B Mobile-Base Station Compatibility Standard for Dual Mode Broadband Spread Spectrum Honeycomb Systems" (TIA/EIA/IS) -95-B Mobile Station-Base Station Compatibility Standard for Dual-Mode Wideband Spread Spectrum Cellular System), referred to herein as the IS-95 standard; by the "3rd Generation Partnership Project" (3GPP) The standards provided by the joint organization, referred to herein as the 3GPP standards, are standards that are embodied in a set of documents, including document numbers 3G TS 25.211, 87743 1280768 3G TS 25·212, 3G TS 25.213, and 3G TS 25.214, 3G TS 25.302, referred to herein as the W-CDMA standard); a standard provided by a consortium named "3i*d Generation Partnership Project 2" (3GPP2), referred to herein as the 3GPP2 standard And TR-45.5, referred to herein as the cdma2000 standard, formerly known as IS-2000 MC. The criteria listed above are incorporated herein by reference. Each standard defines the data processing used for transmission from the base station to the mobile station, and vice versa. Taking the exemplary embodiment as an example, the following discussion considers a spread spectrum communication system that conforms to the cdma2000 system. Alternative embodiments may be incorporated into other standards/systems. Still other embodiments may apply the secure processing methods discussed herein to any type of data processing system that uses an encryption system. The encryption system is a method for disguising messages in such a way as to allow a particular group of users to pick up the message. Figure 1A shows a basic encryption system 10. Password compilation (encryption) is a technique for establishing and using an encryption system. Cryptanalysis is a technique for cracking an encryption system, that is, a person who is not a specific group of users who are permitted to access the message receives and understands the message. The original message is called plain text or plaintext. The encrypted message is called a ciphertext, and the encryption contains any component for converting plain text to cipher text. Decryption contains any artifacts used to convert password text into plain text, that is, to restore the original message. As shown in FIG. 1A, the plain text message is encrypted to construct a password text. The password text is then received and decrypted to restore the plain text. Although the words "plain text" and "password text" are widely used for information, the concept of encryption also applies to any number of 87743 -10- 1280768 messages, including audio and video data in digital form. Although the specification of the present invention provided herein uses the words "plain text" and "password text" consistent with the cipher compilation, these terms do not exclude other forms of digital communication. The encryption system is based on confidentiality. A group of entities shares a secret, and an entity that does not belong to a group cannot obtain a secret without a large amount of resources. This secret is seen as a security protection association between entity groups. The encryption system may be a collection of algorithms, each of which has an indication tag and the tag is called a key. Symmetric encryption systems (often referred to as "cryptosystems") use the same key (ie, a secret key) to encrypt and decrypt messages. Figure 1B shows a symmetric encryption system 20 in which both encryption and decryption utilize the same private key. Conversely, an asymmetric encryption system uses a first key (i.e., a public key) to encrypt the message and a different key (i.e., a private key) to decrypt the message. Figure 1C shows an asymmetric encryption system 30 in which a key for encryption and a key for decryption are provided. An asymmetric encryption system is also known as a shared key encryption system. The shared key is available for distribution and retrieval to encrypt any message, however, only private gold can be used to decrypt the message encrypted with the shared key.

A problem with symmetric cryptosystems is that the secret key is securely provided from the transmitting party to the recipient. In one scenario, information can be provided by express messenger, or a more efficient and reliable solution for using a shared key encryption system, such as the shared key encryption system defined by Rivest, Shamir, and Adleman (RSA). , as described in the detailed description below. The RS A 87743 -11 - 1280768 system is used in popular security protection tools called Pretty Good Privacy (PGP), as described in the detailed description below. For example, an original recording type encryption system shifts the η bits in the letter system by shifting each letter in the plain text, where η is a predetermined constant integer value. In this configuration, &quot;Α will be replaced by '’D&quot;, etc., one of the established encryption configuration structures may contain several different values of η. In this cryptographic configuration, πη” is the key. The intended recipient has the encryption configuration structure before receiving the password text. In this way, only the knowledge of the key can decrypt the password text, and the pure text can be restored. However, by using the encryption knowledge to calculate the key, the unscheduled person can interpret and decrypt the ciphertext, thus creating a security problem. More sophisticated encryption systems use multiple strategic keys to deter unscheduled interpretation and decryption. A typical encryption system uses the encryption function E and the decryption function D, so that: D_K(E-K(P))-P, suitable for any plain text P (1) in the shared key encryption system, from known The "shared key" can be easily calculated as Ε_Κ, and the "shared key" can be calculated from the private key 。. Υ has been released so anyone can encrypt the message. The decryption function D_K is calculated from the shared key ,, but the private key K must be known. If the private key K is not known, the unscheduled recipient cannot decrypt the password text generated in this way. In this method, only the recipient who generated the private key K can decrypt the message. RSA is a shared key encryption system defined by Rivest, Shamir, and Adleman et al. For example, pure text is treated as a positive integer up to 2512. 87743 -12 - !280768 Jin Yu is a quadruple value group (md), where the false heart is a -256_bit prime number, q is a 258 bit KTLi number, and is a large value, and (n) can be (pl) (ql) Divide. In addition, the encryption function is defined as ··· E_K(P)=Pe m〇d pq5 DK(C)=Gd m〇d pq (2) Although e- can be easily calculated from the Jinwen group (pq, e) k, but there is no known simple s way to calculate d-k from the key group (heart). For this reason, a recipient who produces κ can issue (pq, e). Since the recipient is the only person who can read the confidential message, the confidential message can be delivered to the recipient. PGP, and &amp; symmetric add-on, and asymmetric encryption features. Figures (1) and 1E show a PGP encryption system 5 in which a plain text message is encrypted and restored. The plain text message will be compressed in the ® 1D towel to save data transfer time and magnetic (four). Compression processing enhances the cryptographic compilation security by adding other levels of translation processing to the encryption processing and decryption processing. The addition analysis technique of the big #伤 is to use the pattern found in plain text and to hack in , code (cipher). Compression reduces the pattern in plain text, thereby enhancing the resistance to cryptanalysis. Please note that in a specific embodiment, if the text or other message is too short to compress or compress, it will not be compressed. Then PGP builds the session key, which is the guarantee key that is executed only once. The session key is a random number that can be generated from any random event, such as when the mouse moves and typing. The session will be accompanied by a secure encryption algorithm to encrypt plain text and generate password text. Once the batten has been encrypted, the session key is then encrypted into a recipient's common to Yu. This shared key encryption type session key is transmitted to the recipient along with the password text 87743 -13 - 1280768. Figure 1E tf '胄 When the recipient wants to decrypt, the recipient's copy uses a private key to restore the temporary session key, and then PGP uses the temporary (three) period key to encrypt by convention. The password text is decrypted. The encryption method 4 combines the convenience of the shared key encryption method and the speed of the symmetric encryption method. Symmetric encryption is usually faster than shared key cryptography. Next, the shared money cryptography provides a solution to the problem of key distribution and data transmission. The combined approach improves performance and Jin Yu's emissions without sacrificing safety. A key is a value that is used in conjunction with a cryptographic compilation algorithm to produce a particular cryptographic literal. Basically, the golden gun is a very large number. The size of Jin Yu is based on the position of the unit. In the shared key cryptography, the key size adds security, but there is usually no correlation between the shared key size and symmetric encryption: the private key size. In the shared Golden Encryption method, the size of the gold is increased, but there is usually no correlation between the size of the shared gun and the size of the private key of the symmetric encryption method. The derivation of private gold input may give enough time and computing power to make the choice of Jin Yu size an important security issue. The goal is to have a secure prison key while maintaining a small enough key size to speed up processing. An additional concern is the expected intercept H, specifically, the importance of the message to the third party, and how much resources the third party needs to decrypt. The bigger the Jin Yu, the longer the password scale protection period will be. The key is stored in encrypted form. PGP explicitly stores the keys in two files; one stores the shared key and the other stores the private key. These archives spears 87743 -14- 1280768 title ring (four) ah). In the application, the PGp encryption system adds the target recipient's shared amount to the sender's shared keyring. The sender's private keyring is stored in the sender's shared ring. As discussed in the discussion of examples provided by 刖, the method of distributing cryptographic and cryptographic credits can be very complicated. The "golden exchange problem" includes ensuring that the exchanged gold will allow the sender and the recipient to perform separate processing and decryption processing, and for both-way communication, the sender and the recipient are both parties. You can add f and decrypt the message. In addition, you want to perform key exchange to prevent: Non-preemptive third-party interception. Finally, an additional consideration is identification, which allows the recipient to ensure that the message is encrypted by the intended sender, rather than being encrypted by a third party. In a private key exchange system, the securely exchanged key provides improved security after successful exchange of the Golden Wheel and effective authentication. Please note that the private key encryption configuration structure implicitly provides a clock. The basic idea in a private cash balance system is that the 'only sender' has a key for encrypting the message to the intended recipient. Although sharing the Jinyu password and the zebra method solves the key to the "golden painting and change the problem" - specifically, even during the key exchange period, there are (four) eavesdroppers' but still resistant to analysis; but the common golden gun password The compilation method does not solve any of the questions related to the gold exchange. And because the key is regarded as "public knowledge" (especially RSA), so there is a certain mechanism for providing identification, because it only has The key (enough to encrypt the message) does not prove that the sender's unique unique identity is 'and the corresponding decryption key alone does not identify the identity. ' /, Fang Muyu 4 to develop a key distribution mechanism to ensure that the listed 87743 -15-1280768 read is the key of the established entity, sometimes referred to as trusted authorization transfer, certificate authority or Work together to negotiate trust institutions. The authorized unit does not actually generate the key, but ensures that the sender and the recipient refer to the saved and usual key list and related identification identity correctly and not &amp; Another: The method relies on the user to distribute and track the gold balance of each other, and trusts the informal distribution method. According to RSA, if the user wants to transmit the encrypted identity in addition to the encrypted message, the user can use the shared key to encrypt the signature. (4) The RSA algorithm can be used to verify the information decryption in the reverse order, confirming that only the sender can use the secret Jinyu to encrypt the plain text. An encrypted "signature" is a "message digest" containing a unique "macro" (__7) of a secret message (if the signature belongs to a static state across multiple messages, once the previous recipient knows In this way, it is possible to use the signature in a dishonest manner. In this way, only the sender of the message can generate a valid signature for the message, thereby identifying the identity of the recipient to the recipient. Usually the password is used to compile the hash function. Calculate the message digest. The length, method, and code-matching hash function will calculate a value (with a fixed number of bits) from any input. A feature of the cryptographic compiling hash function is to provide a Output value, it is difficult to calculate the output value to determine the input that will result in the output. An example of a cryptographic compilation hash function is, for example, Federal

SHA-1 as described in FIPS PUB 180-1 "Secure Hash Standard" published by Information Processing Standards Publications (FIPS PUBS) and published by the National Institute of Standards and Technology. 87743 - 16 - 1280768 Figure 2 shows a diagram of a communication system 100 that supports a number of users and is capable of implementing at least some of the aspects and embodiments of the specific embodiments of the present invention. Various algorithms and methods can be used to schedule transmissions in system 100. System 100 provides communication for a number of cells 102A through 102G, each of which is serviced by a corresponding base station 104A through 104G. In an exemplary embodiment, some base stations 104 have multiple receive antennas, while other base stations have only one receive antenna. Similarly, some base stations 104 have multiple transmission antennas, while other base stations have only a single transmission antenna. There are no restrictions on the combination of the transmitting antenna and the receiving antenna. Thus, base station 104 may have multiple transmit antennas and a single receive antenna, or may have multiple receive antennas and a single transmit antenna, or may have single or multiple transmit antennas and receive antennas. The terminal 106 in the coverage may be a fixed terminal (ie, fixed) or a mobile terminal. As shown in Fig. 2, various terminal units 106 are placed at different locations throughout the system. Each terminal 106 may communicate with at least one or possibly a plurality of base stations 104 on the downlink and uplink at any particular time, for example, depending on whether soft handoff is employed, or whether the terminal is designed and operated. Multiple transmissions from multiple base stations are received (simultaneously or continuously). Soft handoff in CDMA communication systems is well known to us and is described in detail in U.S. Patent No. 5,101,501 entitled "METHOD AND SYSTEM FOR PROVIDING A SOFT HANDOFF IN A CDMA CELLULAR TELEPHONE SYSTEM" The patent has been assigned to the assignee of the present invention. The downlink represents the transmission from the base station to the terminal, while the uplink represents the transmission of the 87743 -17-1280768 table from the terminal to the base station. In an exemplary embodiment, some of the terminals 106 have multiple receive antennas, while other terminals have only one receive antenna. In Figure 2, on the downlink, base station 104A transmits data to terminals 106A and 106J, base station 104B transmits data to terminals 106B and 106J, and base station 104C transmits the data to terminal 106C and the like. The increasing demand for wireless data transmission and the expansion of services available via wireless communication technologies have led to the development of specific data services. One such service is called High Data Rate (HDR). A proposal for an exemplary HDR service is proposed in the "EIA/TIA-IS856 cdma2000 High Rate Packet Data Air Interface Specification", which is called "HDR Specification". HDR services are typically superimposed on voice communication systems for providing an efficient method of transmitting data packets in a wireless communication system. As the amount of data transferred and the number of transmissions increase, the limited radio power available for radio transmission becomes a critical resource. Therefore, there is a need in the communication system for an efficient and fair transmission scheduling method to optimize utilization of the available bandwidth. In the exemplary embodiment, the system 100 shown in Figure 2 is compliant with a CDMA type system with HDR service. According to a specific embodiment, the system 1 supports a high speed multimedia broadcast service called High-Speed Broadcast Service (HSBS). Examples of HSBS applications are movies, sports news, etc. HSBS is a packet data service based on the Internet Protocol (IP). According to an exemplary embodiment, the service provider indicates to the user the availability of such high speed broadcast service. Users who want HSBS monthly I order to receive services, and can use advertising, short message tube 87743 -18- 1280768 (Short Management System; SMS), Wireless Application Protocol (WAP), etc. To find the broadcast schedule. The mobile user can be called a mobile station (MS). The base station (BS) transmits HSBS related parameters in the add message. When the MS wants to receive the broadcast session, the MS reads the add signal message and learns the appropriate configuration. The MS then tunes to the frequency containing the HSBS channel and receives the broadcast service content. This service is considered a high-speed multimedia broadcast service. In this document, this service is called High-Speed Broadcast Service (HSBS). An example is film, sports news, etc. This service may be a packet data service based on the Internet Protocol (IP). The service provider indicates to the user the availability of such a high speed broadcast service. Users who want such services subscribe to receive the service and can find the broadcast schedule through advertising, SMS, WAP, and more. The base station transmits the parameters related to the broadcast service in the add signal message. The mobile station that wants to receive the broadcast session will read the message to determine the appropriate configuration, tune to the frequency containing the high speed broadcast channel, and begin receiving the broadcast service content. There are several possible HSBS service subscription/revenue models, including free access, controlled access, and partially controlled access. For free access, the mobile station receiving service does not require any ordering. The BS broadcasts unencrypted content and the interested mobile station can receive the content. Service providers can generate revenue through advertisements that can also be transmitted on the broadcast channel. For example, a movie studio that pays to a service provider will transmit a movie trailer that will be released soon. 87743 -19- 1280768 For controlled access, the MS user subscribes to the service and pays a corresponding fee to receive the broadcast service. Unsubscribed users cannot receive HSBS services. Controlled access is achieved by encrypting HSBS transport/content, so only users who have subscribed can decrypt the content. This can be done using an air-to-air encryption key exchange program. This mechanism provides strong security and prevents theft of services. A hybrid access mechanism (referred to as locally controlled access) provides the HSBS service as a subscription-architecture service, which is an encrypted service that uses intermittent and unencrypted advertisement transmissions. These advertisements are scheduled to subscribe to the encrypted HSBS service. The MS can learn these unencrypted sector schedules through an external device. 3 shows a wireless communication system 200 in which a Content Server (CS) 201 provides video and audio information to a Packetized Data Service Node (PDSN) 202. Video and audio information may be from television broadcasts or radio transmissions. The information system is provided as packetized data, such as IP packets. The PDSN 202 processes the IP packets for distribution within the Access Network (AN). As shown, the AN is defined as a component belonging to the system, wherein the system includes a BS 204 that communicates with a plurality of MSs 206. The PDSN 202 is coupled to the BS 204. For HSBS services, BS 204 receives the information stream from PDSN 202 and provides the information to subscribers within system 200 on the designated channel. In order to control access, the content may be encrypted by CS 201 before being provided to PDSN 202. The subscribed user has the decryption key, so the IP packet can be decrypted. Figure 4 shows a detailed diagram of MS 300 (similar to MS 206 of Figure 3). The antenna 302 of the MS 300 is coupled to the receiving circuit 304. The MS 300 receives transmissions from BS (not shown, similar to BS 204 of Figure 3). The MS 300 includes 87743 -20 - 1280768 a User Identification Module (UIM) 308 and a Mobile Equipment (ME) 306. Receive circuitry is coupled to UIM 308 and ME 3 06. The UIM 308 applies a verification procedure for HSBS transmission security protection and provides various keys to the ME 306. ME 306 can be coupled to processing unit 312. The ME 306 performs important processing including, but not limited to, decrypting the HSBS content stream. The ME 306 includes a memory storage unit MEM 3 10 . In an exemplary embodiment, the non-subscriber can easily access the data in the ME 306 process (not shown) and the data in the ME memory storage unit MEM 3 10 using limited resources, so the ME 306 is viewed. It is not safe. Any information passed to the ME 306 or any information processed by the ME 306 can only maintain a short period of security secrets. Therefore, it is desirable to frequently change any secret information shared with the ME 306, such as a key. UIM 308 is trusted to store confidential information (eg, encryption keys) that should be kept secret for a long time. Since UIM 308 is a secure unit, the secrets it stores do not require the system to frequently change confidential information. The UIM 308 includes a processing unit called a Secure UIM Processing Unit (SUPU) 3 16 and a Secure UIM Memory Unit (SMU). The memory unit of 314 and trusts the security of the memory unit. The SUMU 314 within the UIM 308 stores confidential information in a manner that prevents unauthorized access to information. If UIM 308 obtains confidential information, access requires a lot of resources. Again, SUPU 3 16 within UIM 308 calculates values external to UIM 308 and/or values internal to UIM 308. The calculation results can be stored in the SUMU 314 or passed to the ME 306. Only entities with a large number of resources 87743 21 - 1280768 can get the calculations performed by SUPU 316 from UIM 308. Similarly, the output from SUPU 316 that has been designated to be stored in SUMU 314 (instead of being output to ME 3 06) is designed to have a large amount of resources for unauthorized interpretation. In a specific embodiment, UIM 3〇8 is a fixed unit within MS 3〇〇. Please note that in addition to the secure memory and processing in the UIM 308, the UIM 308 can also contain unsecured memory and processing (not shown) for storing phone numbers, email address information, web pages, URLs. Address information and / or scheduling features and more. An alternative embodiment may provide a removable and/or reprogrammable UIM. In an exemplary embodiment, SUPU 316 does not have substantial processing capabilities beyond the scope of security and key procedures, such as 'allowing to encrypt the broadcast content of the HSBS. Instead of the specific embodiment, a UIM with more processing power can be implemented. The UIM is associated with a particular user and the primary purpose is to verify that the MS 300 has access to the user, for example, accessing a mobile phone network. Thus, the user is associated with the UIM 308, rather than with the MS 300. The same user may be associated with multiple UIMs 308. The problem with the broadcast service is to decide how to distribute the key to the subscribed user. To decrypt the broadcast content at a specific time, the ME must know the current decryption key. To prevent theft of services, you should change the decryption key frequently, for example, every minute. These decryption keys are called short-term keys (SK). The SK system is used to decrypt the broadcast content during a short period of time, so it may be assumed that SK has some inherent economic value for the user. For example, the inherent economic value may be a share of the cost of registration. False 87743 -22- 1280768 It is assumed that the cost of SK obtained from a subscriber's memory storage unit MEM 3 10 by a non-subscriber exceeds the inherent economic value of SK. That is, the cost of (illegally) obtaining SK exceeds the fee, so it does not benefit. Accordingly, it is not necessary to protect the SK in the memory storage unit MEM 310. However, if the lifetime of a confidential Jinyu is longer than the life of S K, the cost of (illegally) obtaining the confidentiality is lower than the fee. In this case, obtaining this key from the memory storage unit MEM 3 10 will benefit. Therefore, conceptually, the memory storage unit MEM 3 10 will not store a secret key whose lifetime is longer than the SK lifetime. The content server (CS) (not shown) that distributes the SK to the channels used by the various subscriber units is considered unsafe. Therefore, when distributing a given SK, CS wants to use a technology that can hide the SK value for unordered users. In addition, CS distributes SK to a large number of potential subscribers for processing within individual MEs over a relatively short period of time. Known key transmission security methods are extremely slow and require the transmission of a large number of keys and are generally not practicable for the desired criteria. An exemplary embodiment is an implementable decryption key distribution method that can distribute a decryption key to a large number of users over a short time period in a manner that a non-subscriber cannot obtain the decryption key. In an exemplary embodiment, MS 3 00 supports HSBS in a wireless communication system. In order to gain access to the HSBS, the user must register and order the service. Once the order has been enabled, the various keys are updated regularly. During the registration process, CS and UIM 308 coordinate a Registration Key (RK), which is used as a security association between the user and the CS. Next, the CS transmits the next 87743 -23 - 1280768 confidential information encrypted with the registration key (RK) to the UIM. The registration key (RK) is saved as a secret in UIM 308 and is a unique key to a given UIM, with each user being assigned a different registration key (RK). The registration process alone does not allow the user to access the HSBS. As described above, the user subscribes to the service 6 after registration. In the process, the CS transmits a Broadcast Access Key (BAK) to the UIM 308. The CS transmits the BAK value encrypted using the registration key (RK) unique to the UIM 308 to the MS 300, specifically to the UIM 308. The UIM 308 can use the registration key (RK) to restore the encrypted version back to the original BAK value. The BAK is used as a security association between the CS and the subscribed user group. Next, the CS broadcasts a material called SK Information (SKI), and combines the SK information (SKI) and the BAK in the UIM 308 to derive the SK. The UIM 308 then passes the SK to the ME 306. In this manner, the CS can efficiently distribute the new SK value to the ME of the subscribed user. The registration process is discussed in detail in the following paragraphs. When the user registers with a given C S, UIM 308 and CS (not shown) establish a security association. That is, UIM 308 and CS jointly agree to a secret key RK. RK is Jinyu, which is unique to each UIM 308. However, if a user has multiple UIMs, UIM can share the same RK, depending on the principle of CS. This registration occurs when the user subscribes to the broadcast channel provided by CS, or this registration may occur before the order. A single CS can provide multiple broadcast channels. The CS may choose to establish the association between the user and the same rk for all channels, or require the user to register each channel and establish the association between the same user and different RKs on different channels. Multiple CSs can be selected 87743 -24- 1280768 to use the same registration key, or require the user to register with each cs and get a different RK. Two common examples of establishing this security protection association include: the Authenticated Key Agreement (AKA) method used by 3GPP, and the Internet Key Exchange (IKE) method in accordance with IPsec. . In either case, the UIM memory unit SUMU 314 contains a secret gold key called A-key. The AKA method is described as an example. In the AKA approach, A-key is a secret only known to UIM and trusted third parties (TTP): TTP may consist of more than one entity. The TTP is usually the mobile service provider registered by the user. All communications between CS and TTP are kept secret, and CS trusts TTP to not assist unauthorized access to the broadcast service. When the user registers, the CS notifies the TTP that the user wants to register the service and provides the user's request for verification. TTP uses a function (similar to a password-compiled hash function) to calculate RK from A-key and additional data called Registration Key Information (RKI). The TTP passes the RK and RKI along with a non-submission related other material to the CS through a secure channel. The CS transmits the RKI to the MS 300. Receive circuit 304 passes the RKI to UIM 308 and may pass the RKI to ] 306. UIM 3 08 calculates RK from the A-key that is missing from the RKI and UIM memory unit SUMU 3 14. The RK is stored in the UIM memory unit SUMU 3 14 and is not directly provided to the ME 306. Instead of a specific embodiment, an IKE case can be used, or other methods for building RK. RK is considered as a security association between C S and UIM 308. 87743 -25- 1280768 In the AKA method, RK is the secret of CS, UIM and TTP. Therefore, in this paper, the ΑΚΑ method means that the security protection between CS and UIM implicitly includes ΤΤΡ. The inclusion of Ding in any security association is not considered anti-security, because CS trust does not assist in unauthorized access to the broadcast service. As mentioned above, if the key is shared with the ME 306, it is more appropriate to change the key frequently. This is due to the risk that the non-subscriber accesses the information stored in the memory storage unit MEM 310 to access controlled or locally controlled services. The ME 306 stores SK (key information for decrypting the broadcast content) in the memory storage unit MEM 310. The CS must transmit enough information for the user who has ordered to calculate the SK. If the ME 306 of the user who has ordered can calculate SK from this information, the additional information required to calculate SK may not be kept confidential. In this case, it is assumed that the ME 306 of the user who has ordered can also calculate SK from this information. Therefore, the value of 8 feet must be calculated in 81^11316 using the secret key shared by 〇3 and 31;]^11314. The inner 08 and 811^11; 314 share the value of 1^, but each user has a unique RK value. The CS does not have enough time to use all RK values to encrypt the SK and pass these encrypted values to each subscribed user. Some other standard is needed. The ordering process is discussed in detail in the following paragraphs. In order to ensure efficient dissemination of the security information SK, the CS periodically distributes a Broadcast Access Key (BAK) to each subscriber UIM 308. For each subscriber, the CS uses the corresponding RK to encrypt the BAK to obtain a value called BAKI (BAK Information; BAK Information). The CS transmits the corresponding BAKI to the MS 300 of the subscribed user. For example, 87743 -26- 1280768

The BAK can be transmitted as an ip packet encrypted corresponding to the RK of each MS. In an exemplary embodiment, the BAKI is an iPSec packet. In an exemplary embodiment, the BAKI is an IP Sec packet containing a BAK encrypted using RK as Jin Yu. Since RK is a user-based Jin Yu, CS must deliver BAK to each subscriber one by one, so BAK is not transmitted through the broadcast channel. The MS 300 passes the BAKI to 111^308.311?1; 316 uses the value of ^^ stored in 81; ^11; 314 and the BAKI value to calculate the BAK. Next, the BAK is stored in the SUMU. In an exemplary embodiment, the BAKI includes a Security Parameter Index (SPI) value for instructing the MS 300 to pass the BAKI to 111]^ 308, and indicates 1; 1^1 308 uses ^^ Decrypt 6 8 0. We expect that the cycle of updating the BAK is sufficient to allow the CS to send each B AK to each subscriber one by one without significant over-consumption. Since the untrusted ME 306 remains secret for a long time, the UIM 308 does not provide the BAK to the ME 306. The BAK is used as a security protection association between the CS and HSBS service subscriber groups. How to update SK after a successful ordering process is discussed in the following paragraphs. During each cycle of updating the BAK, a short time interval is provided during the period in which SK is distributed on a broadcast channel. CS uses a cryptographic compile function to determine the SK value and the SKI (SK Inf) value so that SK can be determined from BAK and SKI. For example, SKI may be SK encrypted using BAK as a key. In an exemplary embodiment, the SKI is an IPSec packet containing SK encrypted using BAK as a key. Alternatively, SK may be the result of applying a cryptographic compilation hash function to the SKI and BAK block concatenation. 87743 -27- 1280768 Some parts of the SKI may be predictable. For example, a portion of the SKI can be derived from the system time during which the SKI is active. This portion (labeled SKI-A) does not need to be transmitted to the MS 300 as part of the broadcast service. The rest of the SKI (labeled SKIJB) may not be predictable. SKI_Bf needs to be transmitted to MS 3 00 as part of the broadcast service. The MS 300 reconstructs the SKI from the SKI_Ai SKI-B and provides the SKI to the UIM 308. The SKI can be rebuilt within the UIM 308. The value of the SKI must be changed for each new SK. Therefore, when calculating a new SK, SKI_A &amp; / or SKI-B must be changed. The CS transmits the SKI_B for the broadcast transmission to the BS. The BS broadcasts the SKI_B, and the antenna 302 detects the SKI_B&amp; and passes the SKI_B to the receiving circuit 304. Receive circuit 304 provides SKI_B to MS 300, where MS 300 reconstructs the SKI. The MS 300 provides the SKI to the UIM 308, where the UIM 308 uses 3 8 feet stored in 3111^1; 314 to obtain 3 〖. Then, 1; 1] ^ 308 provides SK to the ME 306. The ME 306 stores the SK in the memory storage unit MEM 310. The ME 306 uses SK to decrypt the broadcast transmission received from the CS. In an exemplary embodiment, the SKI also includes a Security Parameter Index (SPI) value for instructing the MS 300 to pass the SKI to the UIM 308 and instructing the UIM 308 to decrypt the SKI using the BAK. After decryption, UIM 30 8 passes SK to ME 306, where ME 306 uses SK to decrypt the broadcast content.

A criterion for the joint transmission of CS and BS. CS will want to reduce the inherent economic value of each SK by changing the way SK is often changed. In this situation, we want to weigh the changes to SKI_B 87743 -28- 1280768 with the goal of optimizing the available bandwidth. SKI_B can be transmitted on a channel other than the broadcast channel. When the user "tunes" to the broadcast channel, the receiving circuit 304 obtains information for finding the broadcast channel from the "control channel". When the user "tunes" to the broadcast channel, it may be desirable to allow fast access. This requires the ME 306 to obtain the SKI in a short time. The ME 306 already knows the SKI_A, but the BS must provide the SKI_B to the ME 300 for this short period of time. For example, the BS may transmit SKI_B (along with the information used to find the broadcast channel) on the control channel or transmit the SKI_B frequently on the broadcast channel. The more frequently the BS "refreshes" the SKI_B value, the faster the MS 300 can access the broadcast message. To redefine the SKI_B data with the goal of optimizing the available bandwidth, the transmission of SKI_B data too often would result in an unacceptable amount of bandwidth in the control channel or the broadcast channel. This paragraph discusses the encryption and transmission of broadcast content. The CS uses the current SK to encrypt the broadcast content. The exemplary embodiment employs an encryption algorithm, such as the Advanced Encryption Standard (AES) h Cipher Algorithm. In an exemplary embodiment, the encrypted content is transmitted by an IPSec packet in accordance with an Encapsulating Security Payload (ESP) transmission mode. The IPSec packet also includes an SPI value for instructing the ME 306 to use the current SK to decrypt the received broadcast content. The encrypted content is transmitted via the broadcast channel. Receive circuitry 304 provides RKI and BAKI directly to UIM 308. In addition, the receiving circuit 304 supplies the SKI_B to the appropriate components of the MS 300, in which 8 ft 1_:6 and SKI_A are combined to obtain the SKI. MS 300 related components 87743 -29- 1280768 Provide SKI to UIM 308 ° UIM 308 uses RKI and A_key to calculate RK, RK to decrypt BAKI to get BAK, and SKI and BAK to calculate SK, and It is possible to generate the SK to be used by the ME 306. The ME 306 uses SK to decrypt the broadcast content. In an exemplary embodiment, UIM 308 does not have sufficient capabilities to decrypt the broadcast content on the fly, so the SK is passed to ME 306 to decrypt the broadcast content. FIG. 5 shows the transmission and processing of keys RK, BAK, and SK in accordance with an exemplary embodiment. As shown, at registration, MS 300 receives 110 and provides the 11 111 to 111]^ 308, where 31^1; 316 uses 11 〇 and person _]^7 to calculate RK, and the RK Stored in the UIM memory unit SUMU 314. The MS 300 periodically receives the BAKI, which contains the BAK encrypted using the RK value unique to the UIM 308. SUPU 316 decrypts the encrypted BAKI to restore the BAK, which is stored in UIM memory unit SUMU 314. MS 3 00 further receives a SKIJB periodically, and the combination of SKI-B and SKI_A constitutes an SKI. SUPU 316 uses SKI and BAK to calculate SK. SK is provided to the ME 306 to decrypt the broadcast content. In an exemplary embodiment, the CS key need not be encrypted and transmitted to the MS, and the CS may use an alternate method. The key information generated by the CS is transmitted to each MS, and the MS is provided with sufficient information to calculate the key. As shown by system 350 in Figure 6, the RK is generated by the CS, but the RK information (RKI) is transmitted to the MS. The CS transmits enough information for the UIM to derive the RK, which uses a pre-determined function to derive the RK from the information transmitted by the CS. The information contained in the RKI is sufficient for the MS to use a pre-determined public function labeled dl to determine the original RK from A-key and other values (eg, system time) 87743 -30- 1280768: RK=dl(A_key, RKI 〇(3) In an exemplary embodiment, the function dl defines a cryptographically compiled function. According to a specific embodiment, SRK is determined according to the following function: RK=SHA, (A-key||RKI), (4) where "11&quot; indicates the concatenation of blocks containing A-key and RKI, SHA\ X) indicates the last 128-bit of the output of the Secure Hash Algorithm (SHA-1) in the case of the known input X. In the alternative concrete example, the following function is used to determine RK: RK =AES(A_key,RKl), (5) where AES(X,Y) indicates the 128•bit block RKI encrypted using the 128-bit A-key. Further implementation based on the AKA protocol In the example, the RK is determined according to the output of the 3GPP key generation function f3, where the RKI includes the value of RAND and the AMF value and the SQN value defined by the standard. Because multiple users having different RK values must calculate the same value. BAK, so the BAK will be handled in different ways. The CS can use any technique to determine the BAK. However, the BAKI value associated with a particular UIM 308 must be a BAK encrypted according to the unique RK associated with the UIM 308. ^11316 uses a RK stored in 811]^1; 314 to decrypt b according to a function labeled 42. AKI, as shown below: BAK=d2(BAKI, RK). (9)

In an alternate embodiment, the CS may use the RK to perform the BAK decryption procedure to calculate the BAKI, and the SUPU 316 to use the RK to perform the BAKI encryption procedure to obtain the BAK. This is considered equivalent to CS encryption BAK and SUPU 87743 -31 - 1280768 316 decryption BAKI. In addition to the key combination shown in Fig. 6, any number of combinations of gold balances may be implemented instead of or in place of the key combination shown in Fig. 6. The way to handle SK is similar to the way RK is handled. First, the SKI (SKI_B is the information transmitted from the CS to the MS) is derived from SKI_A&amp; SKI_B. Then, a predetermined function labeled d3 is used, derived from SKI and BAK (stored in SUMU 314). SK, as follows: SK = d3 (BAK, SKI) 〇 (6) In a specific embodiment, function d3 defines a cryptographically compiled function. In an exemplary embodiment, SK is calculated according to the following function: SK=SHA(BAK ||SKI), (7) In another embodiment, SK is calculated according to the following function: SK=AES(BAK,SKI) 〇(8) FIGS. 7A to 7D show one type of use Figure 7A shows a registration procedure 400 in which a subscriber negotiates to register with the CS at step 402. At step 404, registration provides a unique RK to the UIM. At step 406, the UIM will The RK is stored in a Secure Memory Unit (SMU). Figure 7B shows the order process 420 between the CS and the MS. At step 422, the CS generates a BAK during a BAK time period T1. The BAK is throughout The BAK time period is valid during the period T1, and the BAK is updated regularly. In step 42 4. The CS authorizes the UIM to have access to the Broadcast Content (BC) during the BAK time period T1. At step 426, the CS encrypts the BAK with each individual RK of each subscriber. Encrypted The BAK is called BAKI. Next, the BAKI is transmitted to the UIM at steps 428, 87743 - 32 - 1280768 CS. At step 430, the UIM receives the BAKI and uses RK to perform the decryption. The result of the decryption is the original generated ΒΑΚ The UIM stores the UI in a SUMU at step 432. Next, the UIM receives the broadcast session and can access the BC by decrypting the encrypted broadcast (EBC) using the UI. Figure 7C A method for implementing security protection encryption in a wireless transmission system supporting broadcast transmission is shown. The method 440 implements a time period in accordance with the timing diagram shown in Figure 7E. The BAK is periodically updated at time intervals of time period T1. BAK and when T1 is overdue, a timer tl is started. A variable is used to calculate SK of SK_RAND, and SK is periodically updated at time interval T2. When SK_RAND is generated and exceeds T2 When, it will start a timer t2. In a particular embodiment, the time period will be a time interval T3 is further updated periodically SK. When each SK is generated and expired at T3, a timer t3 is started. The SK-RAND is generated at the CS and is provided to the MS on a regular basis. The MS and CS use SK_RAND to generate the SK, as described in detail below. When the applicable value of the BAK is updated, a first timer tl is reset. Update The length of time between two BAKs is the BAK update cycle. In an exemplary embodiment, the BAK update period is one month, however, any desired time period may be implemented in place of a particular embodiment to achieve a system optimized operational goal, or to meet various system criteria. With continued reference to FIG. 7C, at step 442, the method 440 initializes the calculator t2 and begins the SK-REG time period T2. At step 444, the CS generates SK_RAND and provides the value to the transmission circuit for transmission throughout the system 87743 - 33 - 1280768. At step 446, timer t3 is initialized to begin the SK time period Τ3 overdue. Next, at step 448, the CS uses the current SK to encrypt the BC. The result of the encryption is the EBC, where the CS provides the EBC to the transmission circuitry for transmission throughout the system. At decision step 452, if the timer t2 has expired, the process returns to step 442. When the timer t2 is less than T2, if the timer t3 has expired at decision step 454, the process returns to step 446; otherwise the process returns to step 450. Figure 7D shows the operation of the MS that is accessing a broadcast channel. The method 460 first synchronizes the values on the timers t2, t3 and CS at step 462. At step 464, the UIM of the MS receives the SK_RAND generated by the CS. At step 466, the UIM uses SK_RAND, BAK, and a time measurement to generate the SK. The UIM passes the SK to the ME of the MS. Next, at step 468, the UIM uses the received SK to decrypt the received EBC to extract the original BC. At step 470, when the timer t2 expires, the process returns to step 462. When the timer t2 is less than T2, if the timer t3 has expired at step 472, the timer t3 is initialized at step 474 and returns to step 466. When the user subscribes to the broadcast service for a specific BAK update period, the CS will transmit the appropriate BAKI (equivalent to the BAK encrypted with RK). This typically occurs before the start of the BAK update cycle, or when the MS first tunes to the broadcast channel during the BAK update cycle. This can be initiated by the MS or CS in accordance with various criteria. Multiple BAKIs can be transmitted and decrypted simultaneously. Note that when the BAK update cycle is about to expire, if the MS has ordered the next BAK update cycle, the MS can request the updated BAK from the CS. In an alternate embodiment, the CS utilizes the first timer t1, wherein when the timer is overdue (i.e., the BAK update period is satisfied), the CS transmits the BAK immediately. Note that the user can receive a BAK during a BAK update period, for example, when each BAK update is performed, a subscriber joins the service during the month. In addition, the time periods of BAK and SK update can be synchronized so that all subscribers are updated at a given time. &quot; Figure 8A shows a registration procedure in a wireless communication system 500- according to an exemplary embodiment. The CS 502 negotiates with each subscriber (i.e., MS 5 12) to produce a RK&gt; RK unique to each subscriber that is provided to the _ SUMU memory unit within the UIM of each MS. As shown in the figure, the ruler generated by CS 502 is stored in 81;]^1; 1510 in 1111\11512. Similarly, the ruler 2 generated by 〇3 502 is stored in SUMU2 520 in UIM2 522, and in SUMUn 530 generated by CS 502 stored in UIMN 532. FIG. 8B shows the ordering process in system 500. The CS 502 further includes a plurality of encoders 504. Each encoder 504 receives one of a plurality of unique RKs and a BAK value generated in CS 502. The output of each encoder 504 is a BAKI that is coded for a subscriber. The UIM of each MS (eg, UIMi 512) receives the BAKI. Each UIM includes a SUPU and a SUMU, such as SUPU! 514 and SUMU! 510 of UIM! 512. The SUPU includes a decoder (e.g., decoder 516) for applying the RK of the UIM to restore the BAK. Repeat this procedure at each speaker. Figure 8C shows the Jin Yu management and update, where CS applies a function 508 to generate a SK-RAND value, which is the temporary value used by CS and MS to calculate SK. Specifically, function 508 applies the BAK value, SK-RAND, and a time factor. 87743 - 35 · 1280768 While the particular embodiment illustrated in Figure 8C applies a timer to determine when to update the SK, alternatives may be used in place of the specific embodiment to provide periodic updates, e.g., errors or other events. The CS provides the SK-RAND value to each subscriber, where a function that is resident in function 518 in each UIM applies the same function as the function 508 of CS. The function 518 operates SK_RAND, BAK, and a time value to generate a SK, and the generated SK is stored in a memory location in the ME, for example, the MEMU 542 of the ME! Figure 8D shows the BC processing procedure after registration and ordering. The CS 502 includes an encoder 560 for encoding the BC using the current SK to generate an EBC. Next, the EBC is transmitted to the subscriber. Each MS includes an encoder 544 for using the SK to extract BCs from the EBC. Although the present invention has been described with respect to an exemplary embodiment of a wireless communication system that supports a one-way broadcast service, the encryption method and key management described above are further applicable to other data processing systems, including multicast. Broadcast system. Further, the present invention is applicable to any data processing system having multiple subscribers accessing a single transmitted secret message through an unsecured channel. Note that the user can subscribe to the current broadcast or transmission to a first entity that is different from the current content server (CS), content provider, and/or content source. For example, consider users who roam to different geographic regions. The subscriber is a subscriber who has subscribed to a central newscast entity (e.g., CNN). Subscribers to sub-offices of the Centre's newscasting entities (eg CNN Asia) may be established locally. In this case, when the subscriber of the central news broadcast entity (for example, CNN) roams to the geographical area of a locally established broadcast entity (for example, CNN Asia 87374 -36-1280768), the authorized unit may request the local establishment. The broadcast entity checks the subscription database of the central newscast entity. Each broadcast entity can have a separate subscription server (ss), however each SS must negotiate with another SS while roaming, thus complicating the misidentification. Similarly, using separate SSs can also complicate keying. Each SS may be a server owned by the local CS, or it may be a commercial agreement with the local. Various alternative embodiments are described herein to avoid some of the authorization issues associated with roaming. The definition of a logical entity is provided below based on a clear understanding of the specific embodiment considerations. The system or network (called HLR or HLR/AC) saves the order of the mobile user. In other words, does the home mean a general call? The system in which Ding is located. Systems or networks (referred to as VLRs, such as MSC/VLR) are systems that are entered when roaming and the like. When the user is not roaming, the VLR system is the same as the HLR system. When the content server (CS) provides content to the visited network, the CS is referred to as a local/visited server. The CS includes a content source and a Broadcast Access Key (BAK) generator. A BAK encryptor will encrypt the BAK to be provided to UIM. The same BAK Encryptor may be associated with only one CS or with multiple CSs. A subscription server (SS) holds subscription material for granting the user at least one Broadcast Multicast Service (BCMCS) privilege. Ss may be a server owned by the local CS or may be part of a commercial agreement with the local CS. The goal of BCMCS is to provide a broadcast and multi-point delivery service. An entity called the Content Server (CS) provides content to the Participant Action Service Provider 87743 - 37 - 1280768 (SP). The content is conceived as audiovisual material. CS may be (but not necessarily) part of the servo network. The SP transmits the content on a particular physical channel. If the content is free of charge, any user can access the physical channel to view/process the content. If the subscription is to access the physical channel, then although any user can tune to the physical channel, the content is encrypted so that only the subscribed user can view / &quot; process the content. · The security threat to the broadcast system is a consideration for key design. Figure 18 shows a system for providing a broadcast service and a multicast service. Security Threats 涉及 involves a user who has not paid the subscription fee (when payment is required) but has access to the content. In order to counter security threats, the content is encrypted and only the decryption key is provided to the subscribed user. Therefore, key management is of key importance. In transport mode, the broadcast content is stored by using IPSec Encapsulating Security Payload (ESP) end-to-end encryption. Multiple security protection parameters (eg, encryption key and encryption algorithm_method) are stored as security associations and utilize the destination address and a 32_bit value called the Security Parameter Index (SPI). To compile an index of security protection relevance. Based on the purpose of the discussion, the mobile station (MS) is considered as two separate entities: the User Identity Module (UIM) and the Mobile Device (ME). The UIM is a low power processor that includes secure memory. The UIM may be removable (like a SIM card) or part of the MS itself. The ME contains a high power processor but no secure memory. 87743 -38- 1280768 will use the frequently changed short-term key (SK) to encrypt the content. The ME uses SK to decrypt the content. SK will be changed frequently to prevent the "fraudulent" from transmitting the SK for receiving the broadcast content to other terminals, and to provide the service to many people only for a single subscription fee. The SK is not transmitted; instead, the SK value for the specific broadcast packet is derived from the Broadcast Access Key (BAK) and the SPI in the IP See packet. The BAK system resides in the UIM, so UIM must be available to receive the broadcast service. All subscribers to the channel have the same current BAK, and the duration of access provided by the BAK is a period of time determined by the operator. Therefore, once the UIM obtains the BAK, the UIM can calculate the SK value required for the ME to decrypt the broadcast. A method similar to "Secure Mode" is used to provide BAK to UIM. Please refer to the 17th Anniversary issued in December 2001. 8:8/13_683-;6,〇.80016_8,8?- 4742_11¥2-8 is titled "Over_the_Air Service Provisioning of Mobile Stations in Spread Spectrum Systems". A list of definitions is provided below for a clear understanding of the purpose. AAA Authentication, Authorization, and Accounting: AAA saves the user's root directory code (root key) K 〇AC Authentication Center: This is the ANS-41 entity. The authentication and key management functions performed are similar to AAA. BAK Broadcast Access Key: Provides access to content for up to a period of time (for example, one day, one week, or one month). BAKUE broadcast access gold update entity (Broadcast Access Key Update 87743 -39- 1280768

Entity): BAKUE is an entity that can update the bak in the servo network. CS Content Server: Provides service information. MS Mobile: Based on the purpose of this document, the MS is considered to be two separate entities: UIM and ME. UIM User Identity Module: This UI1V [is a low power processor that contains secure memory. The UIM may be removable (as with a SIM card) or part of the MS itself. ME Mobile Device: This ME contains a high power processor but no secure memory. SA Security Association: A list of parameters (for example, keys) required to process an IPSec packet. Each SA is indexed by the destination address and the Security Protection Parameter Index (SPI). SDP Session Data Parameters: Parameters required to process the current content. SK Short-term Key: CS uses SK to encrypt content, and ME uses SK to decrypt content. SMCK Secure Mode Cipher Key: Same as the key used in IS-683-B. In BCMCS, when BAK is transferred to UIM, SMCK is used to encrypt BAK. SP Service Provider: The server network where the MS is currently located. SPI Security Parameter Index · · Used to compile an index of security protection association (SA). 87743 -40- 1280768 PDSN Packet Data Serving Node ··Interface between the Internet and the RAN. RAN Radio Access Network. ^^&gt;© seems to be a random number generated by a human/eighth person in 13-683氺, used to generate SMCK. The ordering process is not part of the discussion. However, it is assumed that the subscription procedures for the CS and SP protocols include providing a subscription root directory code that can be used for authentication and key management. Assume that the root directory code is held by AC or AAA-Η. A practicable solution is to reserve the broadcast order in the CS, or in another entity separate from the subscription, and to wirelessly access the broadcast subscription stored in the AAA-H or in an HLR associated with an AC. In this case, it is assumed that a wireless access subscription will be established prior to the establishment of the broadcast service subscription. Ordering the location of the data will affect how the BAK is provided. There are two ways for the MS to use the UE to determine if it has the correct B AK. When the user tunes to the broadcast service, the first step is to obtain the Session Data Parameter (SDP) from the CS. The SDP contains information about the BAK, such as the identification (serial number) and the overdue time (if any). These values allow the MS to determine if the BAK needs to be updated. If the BAK needs to be updated during transmission, the transmission will include: notifying the MS to perform an SDP update (the MS can determine from the SDP update whether the BAK needs to be updated). The IPSec packet using SK encryption derived from BAK has a 4-bit most significant bit (MSB) set to the SPI corresponding to the BAK JD of the BAK. Therefore, the ME can extract the 4-bit MSBs to check whether the UIM has a positive BAK of 87743 -41 . 1280768. CS decides how long to change. Change frequently to improve security. Frequent changes can also increase the flexibility of accounting processing. Please consider the following examples. Once the user has an embarrassment, the content can be retrieved during the lifetime of the embarrassment. Assume that it will change at the beginning of each month. If the user's order expires midway through the life of the user, the user can still generate SK (and therefore view the content) until the expiration date. Therefore, if you change only 每月 monthly, CS can only charge the subscription fee from the beginning of the month to the end of the month. Users cannot order from mid-month to mid-month. However, if it changes every day, the user can order from any day of the month. It should be considered that increasing the frequency of changes may increase the number of times the mobile station must capture new depreciation. The discussion did not specify how the MS determines if an update is needed. Suppose the MS will be equipped with a decision device to determine that the ΒΑΚ is about to expire or has expired, triggering an action to perform a ΒΑΚ update. Therefore, several methods can be used. When the MS decides to perform a BAK update, the BAK is provided to the UIM using a method similar to the IS-683-B privacy mode. This can be done in several ways. First, the CS can provide the BAK to the UIM, as shown in Figure 19. When the MS determines that the BAK needs to be updated, the MS contacts the CS. The CS checks if the user is a subscribed user. If the user is a subscribed user, the CS contacts the user's AC/AAA to obtain a temporary SMCK as in IS-683-8. The AC/AAA generates a random number RANDSM and combines the random number with the SSD-B (or root directory code K) of the mobile station to obtain the SMCK. For this purpose, the SHA-1 based function 87743 42 - 1280768 f3 is used. AC/AAA transmits RANDSM and SMCK to CS. The CS uses SMCK to encrypt the BAK to get the EBAK. Next, cs transfers RANDsm, BAK_ID, and EBAK to the mobile station. UIM combines RANDsm with root directory code K (or current SSD-B) to obtain SMCK. The UIM then uses the SMCK to decrypt the EBAK to obtain the BAK and store the BAK in secure memory. If the CS passes the subscription material to the HLR/AC or AAA-H, the SP can provide the BAK to the UIM on behalf of the CS, as shown in FIG. In this case, the SP has one or more BAK Update Entities (BAKUE) available to provide the BAK to the UIM. The CS provides the current BAK to the BAKUE. When the MS determines that the BAK needs to be updated, the MS contacts a BAKUE. The BAKUE contacts the AC/AAA of the user to obtain a Secure Mode Cipher Key (SMCK) as in IS-683-8. AC/AAA checks if the user is a subscribed user. If the user is a subscribed user, the AC/AAA generates a random number RANDSM and combines the random number with the mobile station's SSD-B (or root directory code K) to obtain the SMCK. For this purpose, the SHA-1 based function f3 is used. AC/AAA transmits RANDSM and SMCK to BAKUE 〇 BAKUE uses SMCK to encrypt BAK to obtain EBAK. Next, the CS transmits RANDsm, BAK_ID, and EBAK to the mobile station. UIM combines RANDsm with root directory code K (or current SSD-B) to obtain SMCK. The UIM then uses the SMCK to decrypt the EBAK to obtain the BAK and store the BAK in secure memory. 87743 -43 - 1280768 If the CS passes the ordering material to the HLR/AC or AAA-Η, the SP can provide the BAK to the UIM on behalf of the CS, as shown in Figure 20. In this case, the SP has one or more BAK Update Entities (BAKUE) that can be used to provide the BAK to the UIM. 1 · CS provides the current BAK to BAKUE. 2. When the MS determines that the BAK needs to be updated, the MS contacts a BAKUE. 3. The BAKUE contacts the AC/AAA of the user to obtain a Secure Mode Cipher Key (SMCK) as in IS-683_B. 4· AC/AAA checks if the user is a subscribed user. If the user is a subscribed user, the AC/AAA generates a random number RANDSM and combines the random number with the mobile station's SSD-B (or root directory code K) to obtain the SMCK. For this purpose, the SHA-1 based function f3 is used. AC/AAA transmits RANDSM and SMCK to BAKUE. 5. BAKUE uses SMCK to encrypt BAK to get EBAK. Next, the CS transmits the RANDSM, BAK_ID, and EBAK to the mobile station. 6. UIM combines RANDSM with root directory code K (or current SSD-B) to obtain SMCK. The UIM then uses the SMCK to decrypt the EBAIC to obtain the BAK and store the BAK in secure memory. When an opponent performs a BAK request by pretending to be a subscriber, it does not achieve any purpose. Only users who have ordered can derive the SMCK from RANDSM and extract the BAK in this way. For these reasons, CS/BAKUE does not need to authenticate BAK requirements. According to an exemplary embodiment, the UIM does not expose the BAK. If a single UIM reveals BAK, then 87743 -44- 1280768 will destroy all security unless CS changes. UIM should store information about ΒΑΚ and related information, such as identification (number) and overdue time (if any). It has proven to be advantageous to provide Β to UIM immediately before starting to use ΒΑΚ to derive the SK value. Otherwise, once the CS starts transmitting the packet along with the SK derived from the new one, the user will experience a delay when the MS performs the update. If many users are tuned to the same frequency at the same time, spike traffic is encountered when all MSs perform a ΒΑΚ update. To avoid such problems, the Broadcast Multicast Service (BCMCS), as described in this article, allows the MS to obtain new defects immediately before the BAK change. The MS, SP or CS can initiate the acquisition procedure. Different MSs may have different ΒΑΚ update execution schedules to prevent too many MSs from performing ΒΑΚ updates immediately. For security reasons, the timing of distributing BAK should be as close as possible to the time of use. The ME can store BAK related information to save the need to request this information from UIM. If the CS has calculated the SK corresponding to the current SPI, then in the transmission mode, the CS can encrypt the broadcast channel using the encryption key according to the IPSec ESP. In order to create a new key SK, CS. Perform the following steps. CS selects a random 28-bit value SPI_RAND. CS constitutes a 32_bit SPI of the form SPI=(BAK_ID| | SPI_RAND), where the 4-bit BAK_ID identifies the current BAK value. CS fills SPI_RAND with 128-bit bits. The CS uses the BAK as a key to encrypt the 128-bit value. The 128-bit output is SK. The CS places the new SK value in the SA that is indexed by the destination address of the SPI and the broadcast packet. 87743 -45 - 1280768 The SPI_RAND value should be a random value, so the user cannot predict the SPI value to be used in the future. Otherwise, someone can pre-calculate the SK value used on the day and distribute the key at the beginning of the day. For those who want to distribute Jin Yu, this process is easier (and cheaper) than instant distribution of keys. Assuming a BCMCS IPSec packet, the ME performs the following steps. ME gets the SPI. The ME extracts the BAK_ID from the SPI. Next, the ME determines if the UIM has the correct BAK. If the UIM does not have the correct BAK, the MS will update the BAK as described above. (Alternatively, the MS can check the SDP to see if it has the correct BAK). The ME checks if it has a Security Association (SA) corresponding to the destination address of the SPI and the broadcast packet. If the ME has an SA that conforms to the SPI, the ME uses the decryption key SK in the SA to decrypt the block (IPSec ESP according to the transmission mode). If the ME does not have an SA that conforms to the SPI, the ME passes the SPI to the UIM, allowing the UIM to calculate SK. The way UIM calculates SK is as follows. The UIM extracts the BAK__ID from the 4-bit most significant bit of the SPI and extracts the BAK value from its memory. The UIM extracts the 28-bit SPI_RAND and fills the SPI_RAND into 128-bit bits. UIM uses BAK as a key to encrypt the 128-bit value. The 128-bit output is SK. UIM passes SK to the ME. The ME places the new SK value into the SA indexed by the destination address of the SPI and the broadcast packet. Now the ME uses the SK as a key to decrypt the block (IPSec ESP according to the transmission mode) 〇 More than one IPSec packet can use the same SK value. CS decides when and how long to change SK. The shorter the life of SK, the higher the safety. SK is usually changed every 5 to 87743 -46 - 1280768 for 10 minutes, but CS will decide to change the SK interval. During the spike usage period, CS can choose to change SK more often based on additional security. Please note that since SK will be changed by changing the SPI, CS and MS must be designed to accommodate the dynamic SPI. Table 1 provides quick reference information on using, calculating, and storing keys at the MS. Table 1 is a summary of the information used, calculated, and stored in the mobile station. Table 1

Jin Yu: Use: Time: Necessary: Calculated position: Storage location: SMCK Decrypt BAK [Temporary] Root directory code K UIM (Scratch) BAK Calculate SK hours/days SMCK UIM UIM SK Decrypt content seconds/min BAK, SPI UIM ME BCMCS presents new challenges in the management of gold guns that require non-standard solutions. If the scheme uses IPSec, the BCMCS will want a mutable SPI to determine the SK value that the application will decrypt. In one embodiment, key management (which derives SK from BAK and SPI) is sufficient to protect the security of the BCMCS and allows for a particularly practical BCMCS approach. There are two "exchanges" in BCMCS. • The user pays to the CS to receive the broadcast content from the CS (via the SP). • The CS pays to the SP to receive the transmission time from the SP. 87743 -47 - 1280768 The security objectives of the system include the prevention of the following threats: sp gets the transmission cost of the payment' but does not provide the transmission time. It is important to consider the key points that Wang wants. It is easy to catch an SP that cannot provide transmission time. We expect to promote more business, and the anti-counterfeiting will suffer from poor reputation. At Alices (or other parties), the transmission time was obtained, but the transmission fee was not paid. For example, when someone pretends to be a legitimate cs; it sends a message to sp, just like the content provided by CS. One option is to add an authentication header (Authentlcatlon Header; AH) on the link between &lt;:^ and , to stop the threat. The user accesses the broadcast content but does not pay. An IPSec-based solution is required. The user must have the current decryption key to access the broadcast content. The UIM does not have sufficient capability to decrypt the content, so the ME performs decryption. This means that the decryption key is stored in the hall. Finally, someone successfully extracted the current decryption key from her. Thus, the subscribed user can distribute the decrypted key to other non-ordered users. Therefore, it is extremely difficult to design a solution that allows non-ordered users to access the data. Please note that the goal is to discourage potential markets (target users locked by the service) from using illegal means to access content. Instead, the ME stores or calculates the long-term key; instead, it stores or calculates the long-term key in mM. UIM does not have sufficient capabilities to perform shared key cryptography operations, so all key management must be based on symmetric cryptographic compilation. The SP and other entities will have access to access some of the symmetric keys and use these symmetric keys to derive the decryption key. The actual 87743 -48- 1280768 threat appears to be that the subscribed user is able to distribute the decryption key to non-ordered users. One solution is to change the decryption key often in an unpredictable way. The challenge to achieve this goal is to minimize the excessive transmission overhead required for key distribution. A scheme distributes a Broadcast Access Key (BAK) to each user individually, which uses the BAK and public information transmitted along with the broadcast to derive a number of decrypted Jin Yu. Figure 21 shows an example. In this example, only three decryption keys are derived from each BAK. In fact, hundreds or thousands of decryption keys are derived from a single BAK. Figure 21 shows an example of deriving a number of decryption keys from a BAK by combining the information transmitted on the broadcast channel. If a subscriber who has ordered can pick up the BAK and distribute the BSK to other users, other users can derive many SKs. In order to avoid this situation, the BAK must be saved in the secure memory in the UIM, so the user cannot pick up the B AK. There are many options available to provide B AK to UIM. The suggested choice (similar to the IS-683-B privacy model) seems to be the easiest option. In the general example of using IPSec, both parties will usually negotiate when to change the key. Once the parties have agreed on a new key, SPI will not change: Both parties place the new key in the old security protection association and maintain the SPI as it is. In BCMCS, there are different conditions because there are many receivers and communication is only from CS to multiple users. CS is not in the appropriate location to verify that the user has the correct SK value. Similarly, it is difficult for the user to verify that it has the correct SK value. When changing SK, change SPI to solve this problem. In this method, CS knows that the user has learned that 87743 -49 - 1280768 SK has been changed. Please note that there is no standard implementation in IPSec. The two main options for distributing SK include: 1) transmitting the SK in a packet different from the content stream; or 2) deriving the SK from the information in the IPSec packet containing the content. A hybrid approach can also be considered. Users can "tune to channel" at any time during the broadcast. The user wants to access the content almost immediately. Therefore, if information for deriving SK (e.g., an encrypted value of SK or a random seed) is transmitted in a packet different from the content stream, the CS must retransmit the information every few seconds. One drawback is that this method runs out of bandwidth. The main disadvantage is that there is no standard way to distinguish between packets containing SK information and packets containing content. Assuming that the SPI is changed at the same time as the SK is changed, an extra step may be taken to derive the SK from the BAK and SPI in exclusive mode. To ensure that the correct BAK value is used, the SPI contains a 4-bit BAK_ID and may have a BAK overdue time, so that other BAK values can be reused in the future. Therefore, the remaining 28 bits of the SPI can be changed, which corresponds to 228 possible SK values. When the ME encounters a new SPI value, the ME passes the SPI to the UIM, and the UIM calculates the SK from the SPI and BAK. The ME has a new SK within the legal time and can continue to decrypt. The variable part of the SPI should be randomly changed; otherwise, the user who has ordered can obtain the UIM and can pre-calculate and distribute the necessary SK value. Such methods do not require the use of additional bandwidth to distribute the SK to the user, and allow the UIM to calculate the SK immediately after it has the BAK and the ME has begun to receive the IP Sec packet. The user does not need to wait for a packet containing the SK information. This is a very important advantage, especially if the user changes the frequency 87374 -50 - 1280768 channels every few seconds or minutes: whenever the user changes the channel, the user does not want to wait for the derivation The information of the sk information is delayed by a few seconds. However, this approach allows a relatively small amount of SK to be derived from a single BAK. Specifically, in the illustrated example, there are 228 values (corresponding to 228 SPI-RAND values) compared to 2128 values using other methods. A group of subscribed user groups can obtain the UIM and can pre-calculate the current 228 SK values of the BAK by entering all possible 22N@SPI values. It is estimated that a UIM can calculate all the keys in about three days. A large number of UIMs that have been ordered will be able to pre-calculate these values within an hour. Thus, the group can distribute these values. The key set will require approximately four billion bits (4 GB) of memory. However, since the current consideration is that users will be accessed via a personal digital assistant (PDA) or telephone, it is highly unlikely that they will have 4GB of storage space. In addition, users may be reluctant to download large amounts of data (for example, 4GB) whenever BAK changes. Furthermore, the current example considers that the user wants to have a high quality service. Without all the keys, the user will not be able to decrypt all the content and will not be able to get high quality service. The following discussion presents several options for enhancing the security of BCMCS and similar broadcast services. Specifically, considerations include: 1) multiple layers of encryption, including link layer encryption and end-to-end encryption; 2) BAK update procedures, for example, encryption in the SS and encryption in the local area network; 3) BAK encryptor Or BAK scatters the location of the server, for example, associated with a single CS, or provided in a centralized manner for multiple CSs; and 4) SK transmission, where SK can be derived from the SPI, or SK can be transmitted in encrypted form. Figure 9 shows an exemplary architecture that will be referenced in the following discussion. 87743 - 51 - 1280768 While various options and specific embodiments are contemplated, the exemplary embodiments provide a method for a security module (UIM) in a local system or network (referred to as HLR) and a remote unit A registration machine code (RK) or a root key code (root key) is first established in a confidential manner. An AKA program (or modified AKA program) is used to provide an identical RK to the HLR and a given user's UIM. Once the UIM and HLR have the same RK value, the local system (called the VLR) can use this information to provide a broadcast access key (BAK) to the UIM. Specifically, the VLR generates a BAK. Next, the VLR performs one of the following actions: 1) providing the BAK to the HLR, encrypting the BAK by the HLR and providing the encrypted BAK (Encrypted BAK; EBAK) to the VLR; or 2) the VLR will have a temporary key (Temporary Key) ; TK) requires delivery to the HLR. In the first example, the HLR encrypts the BAK using the RK that only the HLR and the UIM know. The EBAK is provided to the UIM via the VLR. The UIM receives the EBAK and uses RK to decrypt the BAK. Note that as far as implementation is concerned, when the BAK changes, the VLR must transfer the BAK to the HLR and cause excessive consumption. For the method of item 2), the HLR generates multiple TK values and associated random values. The TK value is generated using random numbers and RK. TK values (i.e., TK!, TK2, etc.) and random numbers (i.e., TK-RAND, TK-RAND2, etc.) are supplied to the VLR. Whenever the VLR updates the BAK (changes the BAK based on maintaining a secure transmission), the VLR uses a TIQ to encrypt the BAK. Then, the VLR transmits the EBAK and TKA (TKl5TK_RAND 〇 value pairs to the UIM. In each case, when the UIM owns the RK, the UIM can decrypt the EBAK and restore the BAK. Please test the BCMCS communication shown in Figure 22. System 1000. The functions of various real 87743 -52-1280768 bodies are defined as follows: • The BCMCS Control Center (Home BCMCS Contro1): - Provides BCMCS Service Ordering - Account Processing Information for BCMCS Services - Requires the establishment of a root directory machine in uim Code (Root Key; RK) - Generates a temporary key for decrypting BAK (Temporary Key; TK) • Local BCMCS Control Center (Local BCMCS contro1):

BAK to generate BCMCS service - Use TK to encrypt BAK - Download encrypted BAK to UIM - Pass BAK to RAN to generate SK and also indicate SK lifetime • BCMCS content server: - Provide BCMCS content. The interface shown in System 1 is defined as follows: • B1 interface (HLR/AC - BCMCS Control Center): - Used to request RK from the BCMCS Control Center in the UIM - RK from HLR/AC is passed to the BCMCS Control Center • B2 interface (local BCMCS Control Center - PDSN): - Download the encrypted BAK to the UIM via the IP protocol • B3 interface (local BCMCS Control Center - BSC/PCF):

- Pass BAK to RAN - Transfer SK lifetime to RAN • B4 interface (local BCMCS Control Center - BCMCS Control Center): - Pass TK set to local BCMCS Control Center 87743 - 53 - 1280768 Figure 23 shows Explain the timing diagram of RK build. The vertical axis represents time. When the user subscribes to the BCMCS service in the BCMCS AAA of the party, the RK is established or opened. Each BCMCS content provider has a corresponding RK for each user. Only UIM and its own service provider/local content service provider know RK. Next, the RK setup procedure shown in Fig. 23 will be described. - Step a: After receiving the user's order, the BCMCS Control Center will transmit the RK establishment request to the subscriber's own service provider HLR/AC for indicating the subscriber's identification identity (SUB-ID). And the BCMCS content provider it owns identifies the identity. - Step b: HLR/AC uses the existing AKA program to build RK in UIM. - Step c: After the RK is successfully built in the UIM, the HLR/AC passes the RK to the BCMCS Control Center. A BAK download occurs when requested by the MS. Each BAK has an associated BAK lifetime in which the BAK is identified by a BAK identification or serial number. Each BCMCS program identified by the Content ID has its own BAK. The Home Content Provider ID and Content ID are unique to each BCMCS program. The correspondence between the BCMCS_ID and (Local Content Provider ID + Content ID) value pairs is performed natively in the local BCMCS Control Center. Only the local BCMCS Control Center and UIM know BAK. Next, explain the BAK download process. - Step a: After the subscriber orders the BCMCS service or the BAK lifetime expires 87743 -54- 1280768, UIM immediately requests BAK download and the MS will pass the request to the local BCMCS Control Center. - Step b: The local BCMCS Control Center entity transmits a temporary key request to the BCMCS Control Center, so that the local BCMCS Control Center entity can use the temporary key to encrypt the BAK. - Step c: The Home BCMCS Key Encryptor generates TK_RAND and is calculated from the input RK and TK_RAND by using a function [TK=f(TK_RAND, RK)]. TK. The BCMCS Key Encryptor can generate an array value pair set for future use, so that there is no need to always trade between the BCMCS Control Center and the local BCMCS Control Center. Then, the BCMCS control center forwards several TKs back to the local BCMCS control center. - Step d · The local BCMCS Key Encryptor generates a BAK encrypted with TK and generates BAK— RAND. Next, the local BCMCS key cipher uses a function [BAK_AUTH=f(BAK_RAND, BAK)] to calculate BAK_AUTH from the input BAK and BAK_RAND. Then, the local BCMCS key cipher transmits the BAK, BCMCS_ID, TK_RAND, BAK__AUTH, and BAK_RAND encrypted using the corresponding BAK_ID and BAK lifetime to the UIM 〇 UIM using the input TK_RAND and the storage itself. The RK calculates the TK and then uses TK to decrypt the BAK. BAK_AUTH will be calculated using BAK and BAK_RAND compared to the received BAK_AUTH. If it does not match 87743 -55- 1280768, return to step a. Figure 24 shows a BCMCS architecture in which the local service provider owns a content server (CS). The entities owned by system 1100 are defined as follows. • The local HLR/AC: - Provide BCMCS service subscription - Account processing information for BCMCS service Generate temporary key for decrypting BAK (Temporary Key; TK) • Local BCMCS Control Center (Local BCMCS Control):

- BAK to generate BCMCS service - Use TK to encrypt BAK - Download encrypted BAK to UIM via B2 interface - Pass BAK to RAN to generate SK and also indicate SK lifetime • BCMCS content server: - Provide BCMCS content . The interface shown in Fig. 24 is defined as follows. • B2 interface (local BCMCS Control Center - PDSN) · · - Download encrypted BAK to UIM via IP communication protocol • B3 interface (local BCMCS Control Center - BSC/PCF): Pass BAK to RAN - Will SK lifetime Transfer to RAN • B5 interface (local BCMCS Control Center - BSC/PCF): - Pass the TK set to the local BCMCS Control Center in System 1100, since the service provider owns the BCMCS Content Server, RK and A-key The exchange program will use A-key. 87743 -56- 1280768 About System 1100, BAK download occurs when MS requests BAK or update. Each cockroach has an associated ΒΑΚ lifetime. Each BCMCS program identified by the Content ID has its own BAK. Only the local BCMCS Control Center and UIM know BAK. Next, the BAK download program will be explained. - Step a: After the subscriber orders the BCMCS service or the BAK lifetime expires, the UIM immediately requests the BAK download and the MS passes the request to the local BCMCS Control Center. Step b: The local BCMCS Control Center transmits a temporary key request to the BSC/VI^R so that the local BCMCS Control Center entity can use the temporary key to encrypt the B AK. - Step c: The BSC/PCF transmits the temporary key request to the HLR/AC via the MSC/VLR. - Step d: HLR/AC generates TK_RAND, and calculates TK from the input A Key and TK_RAND by using a function [TK&gt;f(TK_RAND, A Key)]. The HLR/AC will generate array value pairs to be used in the future, so there is no need for the MSC/VLR to trade between the HLR/AC and the BSC/PCF. Next, the HLR/AC transmits several TKs back to the BSC/PCF via the MSC/VLR. - Step e: BSC/PCF passes the TK to the local BCMCS Control Center.

Step b: The local BCMCS key control center generates a BAK and encrypts the BAK using one of the TKs. The local BCMCS Key Control Center also generates BAK_RAND, and then uses a function [BAK_AUTH=f (BAK_RAND, BAK)] to calculate BAK_AUTH from the input BAK 87743 -57- 1280768 and BAK_RAND. Then, the local BCMCS Key Control Center transmits the BAK, BCMCS_ID, TK_RAND, BAK_AUTH, and BAK_RAND encrypted using the corresponding BAK_ID and BAK lifetime to the UIM via the MS. UIM uses the input TK_RAND and its stored A Key to calculate the TK, and then uses ΤΚ to decrypt Β. Then use the input ΒΑΚ and BAK-RAND to calculate your own BAK-AUTH. The local BCMCS Key Control Center compares the calculated B AK_AUTH with the received B AK_AUTH. If it doesn't match, it will start again from step a. Note that for specific embodiments that provide encryption at the link layer, such an encrypted configuration does not block IP level encryption. If IP level encryption is enabled, key layer encryption should be disabled. Next, the short term key (SK) download procedure will be described. - Step a: The BCMCS Control Center transmits the BAK and BAK lifetime to the BSC/PCF and transmits the SK lifetime, requesting the BSC/PCF to use the indicated SK lifetime to generate the SK. - Step b: The BSC/PCF transfers the SK that has been encrypted with BAK to the UIM via the MS. - Step c: UIM uses BAK to decrypt the SK and pass it back to the MS. - Step d: The BCMCS content server transmits the plain text broadcast content to the BSC/PCF via the PDSN. Step 骡e: The BSC/PCF uses SK to encrypt the broadcast content, and then transmits the encrypted broadcast content in a wireless manner. In summary, BCMCS is discovered in the out of band. The user subscribes to the out-of-band 87743 -58- 1280768 BCMCS service (SUB ID). If the service provider does not own the content server, it will establish the root machine code or register the machine code (RK) via the AKA at the UIM; otherwise, the RK will use the A-key. Transfer the TK to the local BCMCS Control Center node. BAKs that have been encrypted with TK are downloaded to the UIM via a visited network (PDSN) using a special UDP nickname. The MS adds a signal message to find out if there is a broadcast service available for a particular sector. The MS performs registration (BCMCS_ID). Figure 25 shows a bearer path for establishing a multicast service between CS and PDSN via provisioning. Figure 26 shows the bearer path for establishing a unicast service between CS and PDSN via the provisioning process. Figure 27 shows the establishment and removal of a multicast service bearer path between the CS and the PDSN via MS registration and deregistration. • Establish BCMCS Bearer Path (if not) • MS Begins Monitoring BCMCS Channels Figure 9 shows a security protection high level architecture 600 in accordance with a particular embodiment. The CS 602 provides content information to a Content Encryptor (CE) 604. The CE 604 is used to generate SK and can be used to encrypt SK. The Content Encryptor (CE) 604 provides: 1) content encrypted using SK; 2) SPI; or 3) - encrypted SK (as described below) to a broadcast receiver 606. In addition, CE 604 also receives BAK, BAKseq (for identifying BAK values) and SK lifetime (specifying the expiration date of SK) from BAK generator 612. The value is provided to the CE 604 for processing. The CE 604 encrypts the content and provides the encrypted result to the broadcast receiver 606. The CE 604 also provides the BAKseq to the broadcast receiver 606. When updating the BAK, the BAKseq value identifies the particular BAK. Note that the content plus 87743 -59 - 1280768 cc (CE) 604 produces SK. SK may be generated on an SPI basis or on an encrypted SK (Encrypted SK; ESK) basis. If SK is generated based on SPI, it will be from a 4-bit BAKseq and

R 28-bit SPI-0AND to form the SPI. When SPI 2 (BAKseq, SPI_RAND), the packetized SK is generated by encrypting SPI_RAND using BAK, where "X-RAND" is used to estimate the random number of X. The SPI change indicates that SK has changed. The Content Encryptor (CE) 604 selects SPI_RAND, generates SK, and constructs SPI (BAKseq, SPI-RAND). The Content Encryptor (CE) 604 uses the SK to encrypt the content and transmits the SPI along with the encrypted content to the Broadcast Receiver 606. The broadcast receiver 606 extracts the SPI and transmits the SPI to the UIM 608, which is calculated by the UIM 608 using SPI_RAND and BAK. The UIM 608 transmits the SK to the broadcast receiver 606, causing the broadcast receiver 606 to decrypt the content using the SK. For ESK, the Content Encryptor (CE) 604 uses the BAK to encrypt the SK to generate the ESK. The Content Encryptor (CE) 604 selects to generate the SK and computes the ESK from the SK to form (BAKseq, ESK). The Content Encryptor (CE) 604 uses the SK to encrypt the content and periodically transmits (BAKseq, ESK) along with the encrypted content to the Broadcast Receiver 606. The broadcast receiver 606 transmits (BAKseq, ESK) to the UIM 608, which calculates the SK by the UIM 608 and passes the SK back to the broadcast receiver 606. Next, the broadcast receiver 606 uses SK to decrypt the content. It may be transmitted in a packet that will have a unique nickname (BAKseq, ESK), which creates a synchronization problem. The broadcast receiver 606 provides content decryption and signaling. The broadcast receiver 606 receives the encrypted content nodes 87743 - 60 - 1280768, SPI (or ESK) and BAKseq from the content encryptor (CE) 604. The broadcast receiver 606 provides the SPI (or ESK) and BAKseq to the UIM 608 and receives the SK request and/or BAK request from the UIM 608. In addition, the broadcast receiver 606 provides the BAK encrypted with RK to the UIM 608, or provides the BAK encrypted with TK-RAND to the UIM 608 〇 UIM 608 to store the terminal root directory code K, the SS root directory code RK and Access key BAK. UIM 608 determines the RK value and the TK value. UIM 608 decrypts BAK and uses SPI and BAK to determine SK. In the alternative, UIM 608 will also be adjusted to use the BAK to decrypt the ESK to form the SK. UIM 608 passes SK to the ME (not shown). A content access manager 610 provides a BAK update command to the BAK generator 612. The BAK generator 612 generates BAK and BAK numbers (ie, BAKseq). The BAK generator 612 provides the BAK, BAKseq, and SK lifetimes to the Content Encryptor (CE) 604. The BAK generator 612 provides the BAK, BAKseq, and BAK lifetimes (the expiration date of the designated BAK) to the BAK Distribution Server 616. A service authorization unit 614 provides an authorization to the BAK distribution server 616. The BAK Dissipation Server 616 receives the BAK request from the Broadcast Receiver 606. The BAK Dissipation Server 616 is adapted to provide a random BAK update time, a BAK encrypted with RK or RK-RAND, and a BAK encrypted with TK to the broadcast receiver 606. In the first case, the BAK Dissipation Server 616 receives the BAK request from the Broadcast Receiver 606 and the identified BAK identification (i.e., BAKseq). In response to the action, the BAK Distributing Server 616 provides a TK request to the Ordering Server (SS) 618. SS 618 saves 38 and 1; 11^'s only ruler [87743 -61 - 1280768 Jin Weng. S S 618 uses the root directory code and TK-RAND to form S&amp;Temporary Key (TK). The SS 618 then transmits the TK_RAND value to the BAK Distributing Server 616. In the second case, the BAK Distributing Server 616 transmits the BAK request received from the Broadcast Receiver 606 and the BAK specified by the BAKseq to SS 618. In response to the action, SS 618 uses RK to encrypt the BAK and passes the encrypted BAK back to the BAK Distributing Server 616. In another case, the BAK Dissipation Server 616 provides a -τκ request to the authentication server 620. The authentication server 620 stores the terminal root directory code κ and uses the root directory code and the random number to form τκ and/or rk. The authentication server 620 then transmits the TK-RAND value to the ΒΑΚ 祠 server 616. Please note that in the following, the ΒΑΚ-distribution server 616 is also referred to as a ΒΑΚ encryptor. UIM 608 uses the RK-RAND provided by the authentication server 620 to calculate RK. The authentication server 620 provides the ruler RAND in response to the RK request from the UIM 608. The authentication server 620 also provides a sense value to the SS 618. The BAK Dissipation Server 616 provides a random BAK update time to the UIM 608. This random BAK update time indicates when the UIM 608 requires a BAK update. The random update time ensures that all users do not require updates at the same time to create a system load. Figures 1, 图, 11 and 12 show various embodiments of encryption and security protection applications for various system configurations. Each figure shows the legend indication signal, the gold wheel and the information flow in the system. The legend is located in the lower right corner of the diagram. As shown in the example in the figure, encryption can be performed at the link layer, for example, at 87744 -62 - 1280768 Base Station Controller (BSC), Packet Control Function Node (PCF) node, others Encryption is performed like a node or a combination thereof. Figure 1 shows a specific embodiment of the link layer encryption method. End-to-end encryption can also be provided, as shown in the specific embodiment of FIG. Note that IPsec has been used in the foregoing to illustrate end-to-end encryption. The specific embodiment shown in Figure 11 performs encryption at the application layer. Please note that the BAK will be updated periodically or not. The BAK update may be SS-encrypted, where a BAK encryptor will pass the BAK to the SS; the SS encrypts the BAK and passes the encrypted BAK back to the BAK encryptor. Specifically, the BAK encryptor transmits the BAK to the SS. SS uses RK to encrypt BAK into encrypted BAK (Encrypted BAK; EBAK). The SS passes the EBAK back to the BAK encryptor. The BAK encryptor passes the EBAK back to the UIM, and the UIM uses RK to decrypt the EBAK to restore the BAK. In the alternative, the BAK can be encrypted locally. In this case, SS provides a Temporary Key (TK) to the local BAK Encryptor. If the BAK encryptor is in the local area network, the BAK encryptor can treat CK as TK, where CK is derived from the authentication vector (AV). The location of the BAK encryptor can be designed according to system requirements and goals. The BAK encryptor has the best (TK-RAND, TK) value pair to the SS. In a specific embodiment, TK is known as: TK = f (TK - RAND, RK). (11) The BAK Encryptor can reuse (TK-RAND, TK) value pairs. SS can transmit multiple value pairs. Next, the BAK encryptor uses TK to encrypt the BAK to form an EBAK. The BAK Encryptor then transfers (TK_RAND, EBAK) to 87743 -63 - 1280768 UIM. UIM uses the previous equation (11) to construct TK. UIM uses ΤΚ to decrypt ΕΒΑΚ to restore ΒΑΚ. In an alternate embodiment, the authentication and account management (ΑΑΑ) unit (HLR/AAA) is used to encrypt the update. In this case, SS is HLR/AAA. MS performs a special negotiation. The authentication vector (AV) includes a CK, where CK is defined as: CK = f (CK - RAND, K), (12) where K is equal to the A-key root directory code located on the HLR or the local network. The BAK encryptor can reuse CK-RAND, TK) value pairs, and HLR/AAA can transmit multiple value pairs. CK and CK_RAND are passed to the ΒAK encryptor, and the BAK encryptor uses CK to encrypt the BAK to form an EBAK. The BAK Encryptor then transmits the (CK_RAND, EBAK) value pair to the UIM. In response, UIM uses the previous equation (12) to form CK. UIM uses CK to decrypt EBAK to form a BAK. In a specific embodiment, the BAK encryptor is associated with a single content server (CS). In an alternate embodiment (as shown in Figure 12), a central BAK encryptor that can be associated with multiple content servers (CS) is employed. The SK will be updated periodically or at irregular intervals. In a specific embodiment, the SK line is derived from SPI. In an alternative embodiment, an SK in an encrypted form is provided. A special apostrophe can be used to indicate the packet containing the SK. For example, a broadcast frame identification item (e.g., BSR_ID) can be set to a predetermined value (e.g., π000π) to indicate a packet containing SK. The specific embodiment illustrated in Figure 10 provides link layer content encryption. System 700 includes a UIM 702 coupled to an ME 704. The UIM 702 provides an unencrypted 87743-64 - 1280768 BAK to the ME 704. The ME 704 provides an encrypted BAK to the UIM 702. Likewise, ME 704 provides RK-AKA to UIM 702. As shown, SK generation, SK encryption, and content are performed on a Base Station Controller/Packet Control Function (BSC/PCF) node 708 located at a content provider owned by the local area network. encryption. Unencrypted content from an internal content source (CS2) 722 is provided to a packet data server node (PDSN) 710. The PDSN 710 then passes the unencrypted content to the BSC/PCF 708. A CS2 BAK generator 724 provides the unencrypted BAK value to the PDSN 710; and the CS2 BAK encryptor 726 receives the BAK request from the PDSN 710 and returns an encrypted BAK. The PDSN 710 then forwards the unencrypted content, the unencrypted BAK, and the encrypted BAK to the BSC/PCF 708. The regional network includes an MSC 706 for use as a VLR. The BSC/PCF 708 receives the RK from the MSC 706 in response to an RK request. An AC 730 located in the local network 728 is used as the HLR. The MSC requests RK from AC 730, and AC 730 responds to the request to provide RK. The MSC 706 provides the RK to the BSC/PCF 708, which provides the RK to the ME 704. Additionally, the BSC/PCF 708 provides the encrypted content and the encrypted BAK to the ME 704. A local third-party vendor content provider 720 includes an external content source (CS1) 714, a CS1 BAK generator 716, and a CS1 BAK encryptor 718. The encrypted BAK from the BAK encryptor 718 is provided to the PDSN 710. The external content source CS1 714 provides the unencrypted content and the unencrypted BAK to the PDSN 710. The entity 732 for storing subscriptions includes a subscription server 734. MSC 706 87743 - 65 - 1280768 provides RK to the subscription server 734. The request and TK-RAND value pairs are transmitted between the subscription server 734 and the 加密 encryptors 718, 726. The legend in Figure 10 illustrates the provision of signal sequences in which the signals are listed in descending order from the RK requirement. The specific application example shown in Figure 11 provides end-to-end content encryption. The configuration of system 800 is similar to the configuration of system 700; however, in system 800, content source (CS2) 822 provides SK generation, SK encryption, and content encryption. The content source 822 provides an encrypted content to the PDSN 810; and the buffer 826 encrypts and transmits an encrypted packet to the PDSN 810 in response to a request. The PDSN further receives the encrypted content from the external content source (CS1) 814 within the local collaborative content provider 820. As in content source 822, the external content source 814 performs SK generation, SK encryption, and content encryption. The ΒΑΚ encryptor 818 provides an encrypted ΒΑΚ to the PDSN 810. Next, the PDSN 810 provides the encrypted content and the encrypted BAK to the BSC/PCF 808. The embodiment shown in Figure 12 provides centralized BAK encryption for end-to-end content encryption. The configuration of system 900 is similar to the configuration of system 800; wherein SK generation, SK encryption, and content encryption are performed by content source (CS2) 922 and the external content source (CS1) 914. System 9A includes a centralized BAK encryptor 912 for receiving unencrypted BAKs from CS2 BAK generator 924 and CS1 BAK generator 916. In response to the action, the centralized BAK encryptor 912 provides an encrypted BAK to the PDSN 910 in response to a BAK request. The centralized BAK encryptor 912 is further coupled to the subscription server 932 to negotiate TK requirements and TK-RAND/value pairs. 87743 -66- 1280768 Figure 13 shows a timing diagram for providing RK. The vertical axis represents the time axis and the system components are provided on the upper horizontal axis. The ME initiates the Authenticated Key Agreement (AKA) procedure by transmitting a message to the MSC (as a VLR). The blocks in the figure are identified by the AKA as the AKA program. The MSC then transmits an Authentication Vector (AV) request to the HLR. The HLR selects a RAND value and generates an AV accordingly. The AV can include a random number RAND and a variable as follows: AUTH=fl(RAND, K) (13) XRES-f2(RAND? K) (14) CK=f3(RAND,Κ) (15) where fl, F2, f3, etc. are used to indicate the different functions used to calculate the variables. The HLR provides the AV to the MSG or VLR. Note that if the MSC has a backup AV, the backup AV will be used and there is no need to request an AV from the HLR. Information from the AV is forwarded to the UIM, which is verified by the UIM and the processed variables are calculated. This process is then verified by the MSC. The MSC verifies the authentication by calculating the AUTH according to equation (13) and further calculating the following variables: RES=f2(RAND, K) (16) RK=CK=f3(RAND5 K) (17) Transmitting the RK value To SS, the verification process continues with SS. Next, the SS performs further verification by selecting a random number RAND2 and calculating: AUTH2=fl(VER_RAND2? RK) (18) The SS provides the authentication information to the UIM, and the UIM verifies the authentication and will recognize 87744 - 67- 1280768 (or negative approval) is provided to ME ° Figure 14 shows a time diagram used to illustrate the SS generating an encrypted BAK value. Referring to the example shown in FIG. 9, the BAK Distributing Server (or Encryptor) 616 transmits a BAK request to the SS 618, and the SS 618 encrypts 8 people using 1^ to form an EBAK. SS 618 transmits the EBAK to the BAK Distributing Server 616. As shown in Figure 14, the ME requests B AK from the SS via the B AK encryptor. The ME transmits a BAKreq message to the BAK encryptor. The BAK Encryptor then transmits the BAK and related information to the SS. The SS receives the BAK and generates an encrypted BAK (Encrypted BAK; EBAK). The EBAK is forwarded to the UIM, and the EBAK is decrypted by the UIM to restore the BAK, which is calculated as follows: BAK=D[EBAK5 RK] (19) where D[] is the decryption operator. The UIM calculates the following equation to further verify BAK: AUTH_BAK=fl(RAND__BAK5 BAK) (20) The UIM transmits an acknowledgement or failure message in response to this verification. When the verification fails, the ME performs or initiates a failure process. Note that throughout the specification, the various functions that are used to calculate the variables may be the same function, or may be individually indicated. Figure 15 shows a timing diagram for explaining the local encrypted BAK processing. Referring to the example shown in FIG. 9, the BAK distribution server (or encryptor) 616 transmits a TK request to the SS 618, and the SS 618 uses the root directory code and a garbled TK_RAND to form a TK 〇 SS 618. TK_RAND Transfer to the BAK Distributing Server 616. Next, the B AK Dissipation Server 616 uses TK__RAND to encrypt the BAK. As shown in Figure 15, the ME transmits a BAKreq message to the 87743 - 68 - 1280768 BAK Encryptor. If the BAK Encryptor does not have current ordering information, the BAK Encryptor will request the ordering information from the SS. If the BAK encryptor does not have a TK value pair, the SS will select a random number TK_RAND and calculate TK according to the following equation: TK = f(TKBAND, RK). (21) The SS transfers the array (TK_RAND, TK) value pair to the BAK encryptor. The BAK encryptor uses TK to encrypt the BAK to calculate the EBAK. Next, the BAK encryptor provides EBAK, TK-RAND and other BAK information to the ME, and the ME forwards the information to the UIM. The UIM calculates TK according to equation (21), calculates EBAK according to equation (19), and calculates AUTH_BAK 〇 UIM verification BAK according to equation (20), and accordingly transmits an acknowledgement or failure message to the ME. When the verification fails, the ME performs or initiates a failure process. The security protection shown in Fig. 16 is such that during the authentication procedure, the local Β has received the AV, and then uses the random value from the AV to generate ΤΚ. In this case, the ΑΚ ΑΚ encryptor is the VLR. The ΑΚ ΑΚ encrypts an AV request to the SS (considered HLR). In response to the action, SS selects a random number RAND and calculates AUTH, XRES, and CK according to equations (13), (14), and (15), respectively. The SS transmits the AV to the BAK encryptor' to encrypt the BAK by the BAK encryptor to constitute the EBAK. Then the BAK adds, benefits the RAND, EBAK and BAK information to the ME, and the ME forwards the information to the UIM. The UIM calculates TK according to equation (21), calculates EBAK according to equation (19), and calculates AUTHJBAK according to equation (20). The UIM verifies Β AK and transmits an acknowledgement or failure message to the ME accordingly. When the verification fails, the ME executes or initiates a failure process. 87743 - 69 - 1280768 Figure 17 shows a timing diagram for illustrating link layer encryption, where the BSC encrypts the SK and the content. Please refer to FIG. 9 and FIG. 10, in which the BSC 708 performs SK generation, SK encryption, and content encryption. As shown in FIG. 17, the B AK encryptor provides B AK, BAK information, and SK information to the BSC. The BSC selects an SK and uses BAK to encrypt the SK to form the ESK. The BSC further selects a random number SK-RAND and calculates AUTH_SK according to the following equation: AUTH_SK = fl(SK_RAND, SK). (22) The BSC provides ESK, SK_RAND, AUTH_SK and BAK information to the ME, and the ME forwards the information to the UIM. The way UIM calculates SK is as follows: SK=D[ESK, BAK], (23) and AUTH_SK is calculated according to the following equation (22). The UIM then passes the SK or failure message to the ME. When the verification fails, the ME performs or initiates a failure process. In order to verify that SK' now has an encrypted link available for secure communication. Key verification is a further security consideration in communication systems. If the communication and/or processing in the SS, BAK encryptor, etc. is confusing, the UIM may derive the wrong value key. Therefore, the UIM needs to determine that the moss has correctly provided RK, BAK, and SK. According to a specific embodiment, the verification is performed using a random number associated with a predetermined key, and the random number is used to perform the verification operation of the predetermined key. Next, the verification result is transmitted to the UIM. UIM checks the verification results. For example, suppose Kx represents RK, BAK, SK, or any other key specified in the communication system for encryption. The entity that has established the key 先 first selects a random number RAND-Kx. Next, the entity calculates a verification result according to the following equation: 87743 -70- 1280768 VERIF-Kx=f(RAND_Κχ,Κχ) ° (24) Then, the entity transmits the (RAND_Kx, VERIF_Kx) value pair to the UIM. Next, the UIM checks the verification result according to the definition of equation (24) to determine whether the Kx is correct. If the verification result is correct, UIM accepts the key. Otherwise, UIM performs key verification error handling, which may include notifying the relevant entity of the key error. If the entity does not receive a response from the UIM, the entity assumes that the key was received correctly. Similarly, ΒΑΚ verification is performed, in which the ΒΑΚ encrypter first performs a verification procedure before transmitting ΕΒΑΚ to the UIV. The ΒΑΚ encryptor selects a random number RAND_BAK, and calculates a verification result according to the following equation: VERIF_BAK=fl(RAND_BAK, BAK), (25) where ΒΑΚ is the key to be verified. The ΒΑΚ encryptor transmits (ΕΒΑΚ, RAND-BAK, VERIF_BAK) to the UIM. The ΒΑΚ encryptor also transmits additional information. The UIM decrypts and confirms equation (25). After confirmation, UIM will use the derived threshold value; otherwise, UIM will notify the 加密 encryptor of the error. Please note that in Jinyu verification, RAND_Kx can include a TIME value. In this case, VERIF_Kx becomes a "time stamp" for verifying the time when Kx is transmitted to UIM. In this way, a reply attack can be blocked, in which someone tries to confuse the UIM by transmitting the same packet sometime after the key has been used. UIM will detect a TIME error. An attacker cannot change TIME because changing TIME also changes the VERIF-Kx value. Those skilled in the art should understand that any of the various terms or techniques of 87743-71 - 1280768 can be used to represent information and signals. For example, data, instructions, commands, information, signals, bits, symbols, and wafers are advantageously represented by voltages, currents, electromagnetic waves, magnetic fields or particles, light fields or particles, or any combination thereof. Those skilled in the art should further appreciate that the various illustrative logic blocks, modules, circuits, and algorithms steps described in connection with the specific embodiments disclosed herein can be implemented as an electronic hardware, a computer software, or a combination thereof. In order to clearly illustrate the interchangeability of hardware and software, the components, blocks, modules, circuits, and steps of the various diagrams have been extensively described in terms of functions. The functionality is implemented as hardware or software, depending on the particular application and design constraints that affect the overall system. Those skilled in the art can implement the described functions in a different manner for each particular application, but such implementation decisions are not to be regarded as a departure from the scope of the invention. Use general purpose processors, digital signal processors (DSPs), dedicated integrated circuits (ASICs), field programmable gate arrays (FPGAs) or other programmable logic devices (PLDs), discrete gates or transistors Logic, discrete hardware components, or any combination thereof, to perform the functions described herein to implement or perform the various illustrative logic blocks, modules, and circuits described in connection with the specific embodiments disclosed herein. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller or state machine. The processor can be implemented as a combination of computer devices, such as a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors connected to a DSP core, or any other such configuration. The method or algorithm step described in the specific embodiments disclosed herein can be directly implemented by a hardware or a software module executed by a processor or a soft and hardware combination 87743 - 72 - 1280768. The software module can reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, scratchpad, hard disk, removable disk, CD-ROM, or in this technology. Any other form of storage medium that is well known. An exemplary storage medium is a processor such that the processor can read information from the storage medium and write information to the storage medium. In the alternative, the storage medium can be integrated into the processor. The processor and storage medium can reside in the ASIC. The AS 1C can be present in a user terminal. In the alternative, the processor and the storage medium may reside as a separate component in the user terminal. The foregoing description of the specific embodiments of the invention is intended to be illustrative The various modifications of the specific embodiments are apparent to those skilled in the art, and the general principles defined herein may be applied to other specific embodiments without departing from the spirit or scope of the invention. Therefore, the present invention is not to be limited to the details of the embodiments disclosed herein, but the scope of the invention. BRIEF DESCRIPTION OF THE DRAWINGS Figure 1A shows a diagram of an encryption system. Figure 1B shows a diagram of a symmetric encryption system. Figure 1C shows a diagram of an asymmetric encryption system. Figure 1D shows a diagram of a PGP encryption system. Figure 1E shows a diagram of a PGP decryption system. Figure 2 shows a diagram of a spread spectrum communication system that supports several users. Figure 3 shows a block diagram of a communication system supporting broadcast transmission. Figure 4 shows a block diagram of a mobile station in a wireless communication system. 87743 -73 - l28〇768 Figure 5 shows the model used to control the broadcast access, Jin Yu in the update mobile station. Figure 6 shows a model for describing a cryptographic compilation job within a UIM. Wireless Transmission Supporting Broadcast Transmission Figures 7A through 7D show a method for implementing security protection encryption in a transmission system. Figure 7E shows a timing diagram for a security protection selection update period in a wireless transmission system supporting broadcast transmission. 8A to 8D show an application for implementing a security protection encryption method in a wireless transmission system of a post-Gude, Lanbian, and Du Zhiyi transmission. Figure 9 shows a high-level architecture diagram for security protection in a wireless transmission system that is transmitted by Yao. Figure 10 shows a block diagram of a communication system using link layer content encryption. Figure 11 shows a block diagram of a communication system using end-to-end content encryption. Figure 12 shows a generalized broadcast access key (BAK) encryption. Block diagram of the letter system.

Figure 16 shows a timing diagram for explaining the use of an authentication vector (AV) in the communication system to produce a temporary key (τκ) of 87743 - 74 - 1280768. Figure 17 shows a timing diagram for illustrating link layer encryption in a communication system. Figure 18 shows a communication system supporting a broadcast service and a multicast service. Figure 19 shows a timing diagram for explaining the broadcast access key (ΒΑΚ) update performed by the content server (CS). Figure 20 shows a timing diagram for explaining the updates performed by the Service Provider (SP). Figure 21 shows a diagram for deriving a decryption key from a frame by combining the information transmitted on a broadcast channel. Figure 22 shows a communication system architecture that supports BCMCS. Figure 23 shows a timing diagram of registration key (RK) construction in a communication system supporting BCMCS in which the own service provider does not own a content server (CS). Figure 24 shows a communication system architecture supporting BCMCS in which the home service provider owns a content server (CS). Figure 25 shows a timing diagram of a bearer path for establishing a multicast service via provisioning. Figure 26 is a timing diagram showing the bearer path for establishing a unicast service via the provisioning process. Figure 27 shows a timing diagram of a bearer path for establishing a multicast service via MS registration. [Illustration of Symbols] 10 Basic Encryption System 20 Symmetric Encryption System 87743 75 1280768 30 Asymmetric Encryption System 50 PGP Power System 100 Communication System 102A-102G Cell 104A-104G, 204 Base Station 106 Terminal 200 Wireless Communication System 201, 502, 602 Content Server (CS) 202 Packet Data Service Node (PDSN) 206, 300 MS (Mobile Station) 302 Antenna 304 Receive Circuit 306, 540, 704 Mobile Equipment (ME) 308, 512, 522, User Identification Module (UIM) 532, 608, 702 310, 540 Memory Storage Unit (MEM) 312 Processing Unit 314, 510, 520, 530 Confidential User Identification Module Memory Unit (SUMU) 316, 514 Confidential Use Operator Identification Module Processing Unit (SUPU) 350, 1000, 1100, System 700, 800, 900 504, 560, 544 Encoder 87743-76 - 1280768 508, 518 Function 516 Decoder 604 Content Encryptor (CE) 606 Broadcast Reception 610 Content Access Manager 612 BAK Generator 614 Service Authorization Unit 616 B AK Distribution Server 618, 734, 932 Subscription Server (SS) 620 Authentication Server 706 MSC 708 Base Controller/Packet Control (BSC/PCF) Node 710, 810, 910 Packet Data Serving Node (PDSN) 714, 814, 914 External Content Source (CS1) 716, 916 CS1 BAK Generator 718 CS1 BAK Encryptor 720, 820 Local third-party content provider 722 Internal content source (CS2) 724, 924 CS2 BAK generator 726 CS2 BAK encryptor 728 Local network 730 Authentication center (AC) 732 Entity 87743 -77 - 1280768 818 BAK force π dense 822, 922 Content Source (CS2) 912 Centralized ΑΚ ΑΚ Encryptor 87743 87743 -78 -

Claims (1)

1280768 Picking up and applying for a patent garden: 1. A method for managing an encryption key in a communication system supporting a broadcast service, comprising: requesting a remote network address of a remote remote station from a local network content provider ( Root key); applying an authentication procedure to distribute the root directory code to the remote station; and storing the root directory code in a user identification module (UIM) of the remote station. 2. An encryption key management method in a communication system supporting a broadcast service' includes: storing a directory code in a user identification module (UIM) of a remote station; receiving a broadcast service An encrypted broadcast access key (EBAK); the EBAK is decrypted based on the root directory code. 3. The method of claim 2, wherein the EBAK is encrypted using a temporary key (TK), the method further comprising: receiving a random number associated with the temporary key (TK); using the root directory The machine code generates the TK from the random number; the TK is used to decrypt the EBAK. 4. The method of claim 3, wherein the EBAK is periodically updated, and each EBAK has a related BAK identification item, wherein each EBAK has a related TK and a random number. 5. If the method of claim 2 is applied, the EBAK will be encrypted on an interviewed content server 87743 1280768. 6. The method of claim 5, wherein the content server generates the defect and the random number. 7. An encryption key management method in a communication system supporting a broadcast service' includes: receiving an encrypted short-term key (SK), wherein the SK is encrypted using a broadcast access key (ΒΑΚ); Use this trick to decrypt the SK. 8. A secure transmission method, comprising: receiving a secure transmission request; requesting a broadcast access key: receiving an encrypted broadcast access key; generating a short-term key according to the broadcast access key; The content is encrypted based on confidential transmission considerations. 87743